← Back

CVE-2023-44402

nvd nist
Published: Dec 1, 2023Modified: Nov 21, 2024

JSON object

Loading...
7.0
Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.0 / Impact: 5.9
Source: NVD

Description

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `.app` bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.

Affected (11)

Products: Electronjs: Electron
Electronjs
1 product
Electron
Configuration A
11 vulnerable
Vulnerable SoftwareAffected Versions
Electronjs
Electron
Up to 22.3.24
Electron
From 23.0.0 to 23.3.14
Electron
From 24.0.0 to 24.8.3
Electron
From 25.0.0 to 25.8.1
Electron
From 26.0.0 to 26.2.1
Electron
Version 27.0.0 alpha1
Electron
Version 27.0.0 alpha2
Electron
Version 27.0.0 alpha3
Electron
Version 27.0.0 alpha4
Electron
Version 27.0.0 alpha5
Electron
Version 27.0.0 alpha6

Related CWEs

CWE-345
Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (6)

Source: security-advisories@github.com
Issue Tracking
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Product
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Product

Timeline

No history available yet.