CVE-2024-29900

HIGH7.5

@electron/packager's build process memory potentially leaked into final executable

Published Mar 29, 2024

Modified 1 years ago

No fix available

Details

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.

References

WEBhttps://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee WEBhttps://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2024-29900

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

NoneI:N

Availability

NoneA:N

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness Type (CWE)

Other

CWE-402

Ecosystems

Timeline

PublishedMar 29, 2024

ModifiedAug 2, 2024