CVE-2024-39698

{"id": "CVE-2024-39698", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2024-07-09T18:15:10.863", "references": [{"url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/electron-userland/electron-builder/pull/8295", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/electron-userland/electron-builder/pull/8295", "tags": ["Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-154"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6."}, {"lang": "es", "value": "electron-updater permite actualizaciones autom\u00e1ticas para las aplicaciones de Electron. El archivo `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implementa la rutina de validaci\u00f3n de firmas para aplicaciones Electron en Windows. Debido al shell circundante, un primer paso por `cmd.exe` expande cualquier variable de entorno que se encuentre en la l\u00ednea de comandos anterior. Esto crea una situaci\u00f3n en la que se puede enga\u00f1ar a `verifySignature()` para que valide el certificado de un archivo diferente al que se acaba de descargar. Si el paso tiene \u00e9xito, la actualizaci\u00f3n maliciosa se ejecutar\u00e1 incluso si su firma no es v\u00e1lida. Este ataque supone un manifiesto de actualizaci\u00f3n comprometido (compromiso del servidor, ataque Man-in-the-Middle si se obtiene a trav\u00e9s de HTTP, Cross Site Scripting para apuntar la aplicaci\u00f3n a un servidor de actualizaci\u00f3n malicioso, etc.). El parche est\u00e1 disponible a partir de 6.3.0-alpha.6."}], "lastModified": "2024-11-21T09:28:14.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:electron:electron-builder:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F77447F6-4E3F-468E-BBBB-AB248C06CF1B", "versionEndExcluding": "6.3.0"}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha0:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "801B3F79-555D-4FCB-B854-227E8D3FDD9E"}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3B939D2F-400E-478C-8F45-568D5B7C5756"}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4ECAF72F-A2E1-4D12-9797-CA1461931579"}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E03022BB-203E-4750-BCD1-493971C95559"}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "587F242D-22D2-4BE6-BCF0-87C2865546E0"}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "116D170A-CD87-484A-864E-5CA0D198C947"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}