Все бюллетени/sisyphus/ALT-PU-2020-4237-1
ALT-PU-2020-4237-1

Обновление пакета electron9 в ветке sisyphus

Версия9.0.4-alt1
Задание#254115
Опубликовано2020-06-27
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (8)

CVE-2020-15096
MEDIUM6.8

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Опубликовано: 2020-07-07Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS 3.xСРЕДНЯЯ 6.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Ссылки
CVE-2020-4075
HIGH7.5

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Опубликовано: 2020-07-07Изменено: 2024-11-21
CVSS 2.0НИЗКАЯ 2.1
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2020-4076
CRITICAL9.0

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Опубликовано: 2020-07-07Изменено: 2024-11-21
CVSS 2.0НИЗКАЯ 3.6
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSS 3.xКРИТИЧЕСКАЯ 9.0
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Ссылки
CVE-2020-4077
CRITICAL9.9

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Опубликовано: 2020-07-07Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xКРИТИЧЕСКАЯ 9.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Ссылки
GHSA-h9jc-284h-533g
HIGH7.7

Context isolation bypass via contextBridge in Electron

Опубликовано: 2020-07-07Изменено: 2021-01-08
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Ссылки