Lucene search

[email protected]NVD:CVE-2023-49314

HistoryNov 28, 2023 - 3:15 p.m.

CVE-2023-49314

2023-11-2815:15:07

CWE-94

[email protected]

web.nvd.nist.gov

cve-2023-49314

electron fuses

inadequate protection

code injection

r3ggi/electroniz3r

attack

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

Affected configurations

Nvd

Node

asanadesktopMatch2.1.0

AND

applemacosMatch-

VendorProductVersionCPE
asanadesktop2.1.0cpe:2.3:a:asana:desktop:2.1.0:*:*:*:*:*:*:*
applemacos-cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
asana	desktop	2.1.0	cpe:2.3:a:asana:desktop:2.1.0:::::::*
apple	macos	-	cpe:2.3:o:apple:macos:-:::::::*

References

asana.com/pt/download

github.com/electron/fuses

github.com/louiselalanne/CVE-2023-49314

github.com/r3ggi/electroniz3r

www.electronjs.org/blog/statement-run-as-node-cves

www.electronjs.org/docs/latest/tutorial/fuses

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for NVD:CVE-2023-49314

prion1 cvelist1 cve1