Path to vulnerable library: /app/node_modules/@types/electron-clipboard-extended/node_modules/electron/package.json,/node_modules/@types/electron-clipboard-extended/node_modules/electron/package.json
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
CVE-2020-4077 - High Severity Vulnerability
Vulnerable Library - electron-6.1.12.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-6.1.12.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/@types/electron-clipboard-extended/node_modules/electron/package.json,/node_modules/@types/electron-clipboard-extended/node_modules/electron/package.json
Dependency Hierarchy: - electron-clipboard-extended-1.0.1.tgz (Root Library) - :x: **electron-6.1.12.tgz** (Vulnerable Library)
Found in HEAD commit: e27daa8031a2241fe07aae269c0590e5ca54e409
Found in base branch: main
Vulnerability Details
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4077
CVSS 3 Score Details (9.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g
Release Date: 2020-07-13
Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with WhiteSource here