CVE-2020-15096

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

CVSS v3 6.8 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg	Third Party Advisory
https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:electronjs:electron::::::::
	cpe:2.3:a:electronjs:electron::::::::
	cpe:2.3:a:electronjs:electron::::::::
	cpe:2.3:a:electronjs:electron:9.0.0:-::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta1::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta10::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta11::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta12::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta13::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta14::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta15::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta16::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta17::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta18::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta19::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta2::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta20::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta3::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta4::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta5::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta6::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta7::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta8::::::
	cpe:2.3:a:electronjs:electron:9.0.0:beta9::::::

History

No history.

Information

Published : 2020-07-07 00:15

Updated : 2020-07-10 19:49

NVD link : CVE-2020-15096

Mitre link : CVE-2020-15096

CVE.ORG link : CVE-2020-15096

JSON object : View

Products Affected

electronjs

electron

CWE

NVD-CWE-Other CWE-501

Trust Boundary Violation

6.8 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-15096

6.8^/10

4.0^/10

Attach tags to `CVE-2020-15096`