CVE-2024-39698 - Vulnerability Details

Vendors	Products
Electron	Electron-builder

Link	Providers
https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41
https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f
https://github.com/electron-userland/electron-builder/pull/8295
https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39698", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-27T18:44:13.037Z", "datePublished": "2024-07-09T17:50:28.169Z", "dateUpdated": "2024-08-02T04:26:15.985Z"}, "containers": {"cna": {"title": "Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6", "problemTypes": [{"descriptions": [{"cweId": "CWE-154", "lang": "en", "description": "CWE-154: Improper Neutralization of Variable Name Delimiters", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq"}, {"name": "https://github.com/electron-userland/electron-builder/pull/8295", "tags": ["x_refsource_MISC"], "url": "https://github.com/electron-userland/electron-builder/pull/8295"}, {"name": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "tags": ["x_refsource_MISC"], "url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f"}, {"name": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "tags": ["x_refsource_MISC"], "url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41"}], "affected": [{"vendor": "electron-userland", "product": "electron-builder", "versions": [{"version": "< 6.3.0-alpha.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-09T17:50:28.169Z"}, "descriptions": [{"lang": "en", "value": "electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6."}], "source": {"advisory": "GHSA-9jxc-qjr9-vjxq", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "electron", "product": "electron", "cpes": ["cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.3.0-alpha.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-10T14:40:10.938790Z", "id": "CVE-2024-39698", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T14:41:06.824Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.985Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq"}, {"name": "https://github.com/electron-userland/electron-builder/pull/8295", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/electron-userland/electron-builder/pull/8295"}, {"name": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f"}, {"name": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "name": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/electron-userland/electron-builder/pull/8295", "name": "https://github.com/electron-userland/electron-builder/pull/8295", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "name": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "name": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.985Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39698", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-10T14:40:10.938790Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*"], "vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "0", "lessThan": "6.3.0-alpha.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T14:41:00.588Z"}}], "cna": {"title": "Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6", "source": {"advisory": "GHSA-9jxc-qjr9-vjxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "electron-userland", "product": "electron-builder", "versions": [{"status": "affected", "version": "< 6.3.0-alpha.6"}]}], "references": [{"url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "name": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/electron-userland/electron-builder/pull/8295", "name": "https://github.com/electron-userland/electron-builder/pull/8295", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "name": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "name": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-154", "description": "CWE-154: Improper Neutralization of Variable Name Delimiters"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-09T17:50:28.169Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39698", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:26:15.985Z", "dateReserved": "2024-06-27T18:44:13.037Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-09T17:50:28.169Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:electron:electron-builder:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F77447F6-4E3F-468E-BBBB-AB248C06CF1B", "versionEndExcluding": "6.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha0:*:*:*:node.js:*:*", "matchCriteriaId": "801B3F79-555D-4FCB-B854-227E8D3FDD9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3B939D2F-400E-478C-8F45-568D5B7C5756", "vulnerable": true}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "4ECAF72F-A2E1-4D12-9797-CA1461931579", "vulnerable": true}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "E03022BB-203E-4750-BCD1-493971C95559", "vulnerable": true}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "587F242D-22D2-4BE6-BCF0-87C2865546E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "116D170A-CD87-484A-864E-5CA0D198C947", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6."}, {"lang": "es", "value": "electron-updater permite actualizaciones autom\u00e1ticas para las aplicaciones de Electron. El archivo `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implementa la rutina de validaci\u00f3n de firmas para aplicaciones Electron en Windows. Debido al shell circundante, un primer paso por `cmd.exe` expande cualquier variable de entorno que se encuentre en la l\u00ednea de comandos anterior. Esto crea una situaci\u00f3n en la que se puede enga\u00f1ar a `verifySignature()` para que valide el certificado de un archivo diferente al que se acaba de descargar. Si el paso tiene \u00e9xito, la actualizaci\u00f3n maliciosa se ejecutar\u00e1 incluso si su firma no es v\u00e1lida. Este ataque supone un manifiesto de actualizaci\u00f3n comprometido (compromiso del servidor, ataque Man-in-the-Middle si se obtiene a trav\u00e9s de HTTP, Cross Site Scripting para apuntar la aplicaci\u00f3n a un servidor de actualizaci\u00f3n malicioso, etc.). El parche est\u00e1 disponible a partir de 6.3.0-alpha.6."}], "id": "CVE-2024-39698", "lastModified": "2024-11-21T09:28:14.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-07-09T18:15:10.863", "references": [{"source": "[email protected]", "tags": ["Product"], "url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f"}, {"source": "[email protected]", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/electron-userland/electron-builder/pull/8295"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/electron-userland/electron-builder/pull/8295"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-154"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "[email protected]", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object