Description

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Remediation

References

https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824

https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79

Related Vulnerabilities

CVE-2019-10401 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-41251 Vulnerability in maven package org.jenkins-ci.plugins:apprenda

CVE-2022-3423 Vulnerability in npm package nocodb

CVE-2023-32070 Vulnerability in maven package org.xwiki.platform:xwiki-core-rendering-api

CVE-2023-49798 Vulnerability in npm package @openzeppelin/contracts

Severity

Critical

Classification

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Tags

Release Notes Vendor Advisory Third Party Advisory NVD-CWE-Other