Strix
26.1K

CVE-2023-39956

MEDIUMCVSS 6.6/10EPSS 0.56%

Last modified

CVE-2023-39956 is a medium-severity vulnerability rated 6.6/10 on the CVSS scale. Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. EPSS estimates a 0.56% chance of exploitation in the next 30 days.

Description

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron.

Metrics

CVSS 3.1
6.6/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

EPSS Probability
0.56%

42.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
ElectronjsElectron< 22.3.9
ElectronjsElectron>= 23.0.0, < 23.3.13
ElectronjsElectron>= 24.0.0, < 24.7.1
ElectronjsElectron>= 25.0.0, < 25.5.0
ElectronjsElectron26.0.0Alpha1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-39956?
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron.
How severe is CVE-2023-39956?
CVE-2023-39956 has a CVSS score of 6.6/10 (MEDIUM severity). The EPSS model estimates a 0.56% probability of exploitation in the next 30 days.
How do I fix CVE-2023-39956?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-39956?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST