CVE-2024-29900

2024-03-2916:15:08

CWE-402

GitHub_M

web.nvd.nist.gov

electron packager

memory leak

vulnerability

sensitive information

patched

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

Percentile

9.0%

JSON

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.

Affected configurations

Vulners

Vulnrichment

Node

electronpackager

VendorProductVersionCPE
electronpackager*cpe:2.3:a:electron:packager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
electron	packager	*	cpe:2.3:a:electron:packager::::::::

CNA Affected

[
  {
    "vendor": "electron",
    "product": "packager",
    "versions": [
      {
        "version": "= 18.3.0",
        "status": "affected"
      }
    ]
  }
]