Plattform
nodejs
Komponente
electron-packager
Behoben in
7.0.0
CVE-2016-10534 affects versions of electron-packager prior to 7.0.0. This vulnerability allows for Man-in-the-Middle (MITM) attacks during the Electron download process, potentially enabling attackers to replace legitimate downloads with malicious ones. The issue stems from the default configuration disabling SSL certificate verification. Updating to version 7.0.0 or implementing strict SSL verification mitigates this risk.
An attacker with a privileged network position can exploit this vulnerability to launch a MITM attack. The attack occurs during the installation process when electron-packager downloads Electron. By intercepting this download, the attacker can substitute a tampered, malicious version of Electron. This could lead to the installation of a compromised application, potentially granting the attacker control over the target system or allowing them to exfiltrate sensitive data. The impact is particularly severe because it affects the core component responsible for building Electron applications, making it a potentially widespread issue for developers using electron-packager.
This CVE was published in 2019, although the underlying issue was identified earlier. There is no known active exploitation campaign targeting this vulnerability. Public proof-of-concept exploits are not widely available. The vulnerability is listed on the NVD (National Vulnerability Database) and has a CVSS score of 2.5 (LOW).
Developers and organizations using electron-packager to build and distribute Electron-based applications are at risk, particularly those relying on the CLI and not explicitly configuring SSL verification within their node.js API calls. Shared hosting environments where users have limited control over the build process are also at increased risk.
• nodejs / supply-chain:
Get-Process -Name electron-packager | Select-Object -ExpandProperty Path• nodejs / supply-chain:
Get-ChildItem -Path "C:\Program Files\electron-packager\*" -Recurse -Filter "*.exe"• generic web:
curl -I https://example.com/electron-download.exe | grep -i ssldiscovery
disclosure
patch
Exploit-Status
EPSS
0.16% (36% Perzentil)
The primary mitigation for CVE-2016-10534 is to upgrade electron-packager to version 7.0.0 or later, which resolves the default SSL verification disabling. If upgrading is not immediately feasible, implement strict SSL certificate verification within your electron-packager configuration. This can be achieved by explicitly setting the strict-ssl option to true when using the node.js API. For CLI users, ensure that the configuration file enforces strict SSL verification. After upgrading, confirm the fix by attempting to build an application and verifying that the Electron download process utilizes SSL certificate verification.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2016-10534 is a vulnerability in electron-packager versions before 7.0.0 that allows attackers to perform MITM attacks during Electron downloads, potentially replacing them with malicious files.
You are affected if you are using electron-packager versions prior to 7.0.0 and are using the CLI, as the default SSL verification is disabled.
Upgrade electron-packager to version 7.0.0 or later to resolve the vulnerability. Consider WAF/proxy rules if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are publicly known, the potential for MITM attacks makes it a significant risk.
Refer to the electron-packager documentation and related security advisories for more information: https://github.com/electron-userland/electron-packager/issues/602
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.