GHSA-fjqr-fx3f-g4rv

Source

https://github.com/advisories/GHSA-fjqr-fx3f-g4rv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-fjqr-fx3f-g4rv/GHSA-fjqr-fx3f-g4rv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fjqr-fx3f-g4rv

Aliases

CVE-2018-1000118

Published

2018-03-26T16:41:20Z

Modified

2023-11-01T04:48:33.577379Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Electron protocol handler browser vulnerable to Command Injection

Details

Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:34:50Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.2-beta5

Database specific

{
    "last_known_affected_version_range": "<= 1.8.2-beta4"
}