GHSA-mpjm-v997-c4h4

Source

https://github.com/advisories/GHSA-mpjm-v997-c4h4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-mpjm-v997-c4h4/GHSA-mpjm-v997-c4h4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-mpjm-v997-c4h4

Aliases

CVE-2021-39184

Related

CVE-2021-39184

Published

2021-10-12T21:59:13Z

Modified

2023-11-01T04:56:05.023045Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API

Details

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #30728, and the following Electron versions contain the fix:

15.0.0-alpha.10
14.0.0
13.3.0
12.1.0
11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Database specific

{
    "nvd_published_at": "2021-10-12T19:15:00Z",
    "github_reviewed_at": "2021-10-12T18:54:44Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-668",
        "CWE-862"
    ]
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.5.0