CVE-2022-29257
moderate-risk
Published 2022-06-13
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.
Do I need to act?
-
0.45% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.6/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
Affected Vendors
References (2)
Third Party Advisory
https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97
Third Party Advisory
https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97
43
/ 100
moderate-risk
Severity
20/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
21/34 · High