CVE-2020-15096 Vulnerability Details

  /     /     /  

CVE-2020-15096 Metadata Quick Info

CVE Published: 07/07/2020 | CVE Updated: 04/08/2024 | CVE Year: 2020
Source: GitHub_M | Vendor: electron | Product: electron
Status : PUBLISHED

---

CVE-2020-15096 Description

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Metrics

CVSS Version: 3.1 | Base Score: 6.8 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* HIGH
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-501
CWE Name: CWE-501 Trust Boundary Violation
Source: electron

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).