Improper Data Handling Affecting electron/electron package, versions [1.7.0,1.7.13)(1.8.0,1.8.4)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.01% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-ELECTRONELECTRON-2370577
  • published26 Jan 2022
  • disclosed23 Mar 2018
  • creditUnknown

Introduced: 23 Mar 2018

CVE-2018-1000136  (opens in a new tab)
CWE-19  (opens in a new tab)

How to fix?

Upgrade electron/electron to version 1.7.13, 1.8.4 or higher.

Overview

Affected versions of this package are vulnerable to Improper Data Handling. Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

References

CVSS Scores

version 3.1