electron-quick-start@1.0.0

Vulnerabilities

3 via 3 paths

Dependencies

77

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 2
Status
  • 3
  • 0
  • 0

high severity

Arbitrary File Overwrite

  • Vulnerable module: fstream
  • Introduced through: electron-updater@0.2.3

Detailed paths

  • Introduced through: electron-quick-start@1.0.0 electron-updater@0.2.3 unzip@0.1.11 fstream@0.1.31

Overview

fstream is a package that supports advanced FS Streaming for Node.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Remediation

Upgrade fstream to version 1.0.12 or higher.

References

medium severity

Signature Validation Bypass

  • Vulnerable module: electron-updater
  • Introduced through: electron-updater@0.2.3

Detailed paths

  • Introduced through: electron-quick-start@1.0.0 electron-updater@0.2.3
    Remediation: Upgrade to electron-updater@4.2.2.

Overview

electron-updater is a module allowing applications to implement auto-update functionality.

Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes.

Using a filename containing a single quote and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script.

This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities.

Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle.

Remediation

Upgrade electron-updater to version 4.2.2 or higher.

References

medium severity

Signature Validation Bypass

  • Vulnerable module: electron-updater
  • Introduced through: electron-updater@0.2.3

Detailed paths

  • Introduced through: electron-quick-start@1.0.0 electron-updater@0.2.3
    Remediation: Upgrade to electron-updater@4.3.1.

Overview

electron-updater is a module allowing applications to implement auto-update functionality.

Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes.

Using a filename containing a backtick (`), among other symbols and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script.

This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities.

Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle.

A partial fix has been made available, blacklisting a small set of characters, but there are additional characters that can be used to exploit this vulnerability.

Remediation

Upgrade electron-updater to version 4.3.1 or higher.

References