Affected versions of electron-packager
configure the generated application to disable SSL certificate verification by default.
This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.
This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.
electron-download
cache folder, which is by default located at ~/.electron
.CPE | Name | Operator | Version |
---|---|---|---|
electron-packager | ge | 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 |