Lucene search

GoogleOSV:GHSA-R4PF-3V7R-HH55

HistoryMar 04, 2024 - 8:42 p.m.

electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)

2024-03-0420:42:45

Google

osv.dev

electron-builder

nsis

windows

vulnerability

installer

cmd.exe

executable

patch

workaround

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.1%

JSON

Impact

Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the .nsh installer script. NSExec by default searches the current directory of where the installer is located before searching PATH. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file.

Patches

Fixed in https://github.com/electron-userland/electron-builder/pull/8059

Workarounds

None, it executes at the installer-level before the app is present on the system, so there’s no way to check if it exists in a current installer.

References

https://cwe.mitre.org/data/definitions/426.html
https://cwe.mitre.org/data/definitions/427

CPENameOperatorVersion
app-builder-liblt24.13.2

CPE	Name	Operator	Version
	app-builder-lib	lt	24.13.2

References

github.com/electron-userland/electron-builder

github.com/electron-userland/electron-builder/commit/8f4acff3c2d45c1cb07779bb3fe79644408ee387

github.com/electron-userland/electron-builder/pull/8059

github.com/electron-userland/electron-builder/security/advisories/GHSA-r4pf-3v7r-hh55

nvd.nist.gov/vuln/detail/CVE-2024-27303