Lucene search

GitHub Advisory DatabaseGHSA-34H3-8MW4-QW57

HistoryMar 29, 2024 - 8:16 p.m.

@electron/packager's build process memory potentially leaked into final executable

2024-03-2920:16:22

CWE-402

GitHub Advisory Database

github.com

memory leak

node.js

heap memory

final executable

sensitive information

environment variables

secrets files

patch

update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Impact

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.

Patches

This issue is patched in 18.3.1

Workarounds

No workarounds, please update to a patched version of @electron/packager immediately if impacated.

Affected configurations

Vulners

Node

electronpackagerMatch18.3.0

VendorProductVersionCPE
electronpackager18.3.0cpe:2.3:a:electron:packager:18.3.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
electron	packager	18.3.0	cpe:2.3:a:electron:packager:18.3.0:::::::*

References

github.com/advisories/GHSA-34h3-8mw4-qw57

github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee

github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57

nvd.nist.gov/vuln/detail/CVE-2024-29900

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for GHSA-34H3-8MW4-QW57