CVE-2023-49314

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
asanadesktop
2.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://asana.com/pt/download
https://github.com/electron/fuses
https://github.com/louiselalanne/CVE-2023-49314
https://github.com/r3ggi/electroniz3r
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses
https://asana.com/pt/download
https://github.com/electron/fuses
https://github.com/louiselalanne/CVE-2023-49314
https://github.com/r3ggi/electroniz3r
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses