CVE-2020-4076

EUVD-2020-0565
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
GitHub_MCNA
7.8 HIGH
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
electronjselectron
7.0.0 ≤
𝑥
< 7.2.4
electronjselectron
8.0.0 ≤
𝑥
< 8.2.4
electronjselectron
9.0.0
electronjselectron
9.0.0:beta1
electronjselectron
9.0.0:beta10
electronjselectron
9.0.0:beta11
electronjselectron
9.0.0:beta12
electronjselectron
9.0.0:beta13
electronjselectron
9.0.0:beta14
electronjselectron
9.0.0:beta15
electronjselectron
9.0.0:beta16
electronjselectron
9.0.0:beta17
electronjselectron
9.0.0:beta18
electronjselectron
9.0.0:beta19
electronjselectron
9.0.0:beta2
electronjselectron
9.0.0:beta20
electronjselectron
9.0.0:beta3
electronjselectron
9.0.0:beta4
electronjselectron
9.0.0:beta5
electronjselectron
9.0.0:beta6
electronjselectron
9.0.0:beta7
electronjselectron
9.0.0:beta8
electronjselectron
9.0.0:beta9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79
https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824
https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79
https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824