-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-36077 (High) detected in electron-13.6.6.tgz #1410
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Milestone
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
label
Nov 11, 2022
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Jan 4, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Jan 4, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Jan 5, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Jan 6, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Jan 31, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Feb 1, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Feb 1, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Feb 1, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Feb 1, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Feb 2, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Feb 4, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Feb 20, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Apr 25, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
May 5, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Jun 21, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Jun 30, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Aug 2, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Aug 9, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
Aug 18, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-19.0.3.tgz
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
Aug 19, 2023
mend-for-github-com
bot
changed the title
CVE-2022-36077 (Medium) detected in electron-13.6.6.tgz
CVE-2022-36077 (High) detected in electron-13.6.6.tgz
Sep 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2022-36077 - High Severity Vulnerability
Vulnerable Library - electron-13.6.6.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-13.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in theWebContents.on('will-redirect')
event, for all WebContents as a workaround.Publish Date: 2022-11-08
URL: CVE-2022-36077
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p2jh-44qj-pf2v
Release Date: 2022-11-08
Fix Resolution: electron - 18.3.7,19.0.11,20.0.1
The text was updated successfully, but these errors were encountered: