Lucene search

GoogleOSV:GHSA-34H3-8MW4-QW57

HistoryMar 29, 2024 - 8:16 p.m.

@electron/packager's build process memory potentially leaked into final executable

2024-03-2920:16:22

Google

osv.dev

security vulnerability

memory leak

node.js

@electron/packager

patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

9.0%

JSON

Impact

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.

Patches

This issue is patched in 18.3.1

Workarounds

No workarounds, please update to a patched version of @electron/packager immediately if impacated.

References

github.com/electron/packager

github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee

github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57

nvd.nist.gov/vuln/detail/CVE-2024-29900

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

9.0%

JSON

Related for OSV:GHSA-34H3-8MW4-QW57