electron-updater@2.17.0 vulnerabilities
Cross platform updater for electron applications
-
latest version
6.3.9
-
latest non vulnerable version
-
first published
10 years ago
-
latest version published
2 months ago
-
licenses detected
- >=0
Direct Vulnerabilities
Known vulnerabilities in the electron-updater package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
electron-updater is a module allowing applications to implement auto-update functionality. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the Note: This is only exploitable on Windows. How to fix Improper Verification of Cryptographic Signature? Upgrade |
<6.3.0-alpha.6
|
electron-updater is a module allowing applications to implement auto-update functionality. Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s Using a filename containing a backtick (`), among other symbols and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script. This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities. Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle. A partial fix has been made available, blacklisting a small set of characters, but there are additional characters that can be used to exploit this vulnerability. How to fix Signature Validation Bypass? Upgrade |
<4.3.1
|
electron-updater is a module allowing applications to implement auto-update functionality. Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s Using a filename containing a single quote and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script. This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities. Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle. How to fix Signature Validation Bypass? Upgrade |
<4.2.2
|