cvelist/2020/4xxx/CVE-2020-4076.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-4076",
        "STATE": "PUBLIC",
        "TITLE": "Context isolation bypass via leaked cross-context objects in Electron"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "electron",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": ">= 9.0.0-beta.0, <= 9.0.0-beta.20"
                                        },
                                        {
                                            "version_value": ">= 8.0.0, < 8.2.4"
                                        },
                                        {
                                            "version_value": "< 7.2.4"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "electron"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.\n\nApps using contextIsolation are affected.\n\nThis is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4."
            }
        ]
    },
    "impact": {
        "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-501 Trust Boundary Violation"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79",
                "refsource": "CONFIRM",
                "url": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79"
            },
            {
                "name": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824",
                "refsource": "MISC",
                "url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-m93v-9qjc-3g79",
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2019-12-30 14:01:02 +00:00			`{`
			`"CVE_data_meta": {`
add CVE-2020-4076 for GHSA-m93v-9qjc-3g79 2020-07-06 17:43:29 -06:00			`"ASSIGNER": "security-advisories@github.com",`
"-Synchronized-Data." 2019-12-30 14:01:02 +00:00			`"ID": "CVE-2020-4076",`
add CVE-2020-4076 for GHSA-m93v-9qjc-3g79 2020-07-06 17:43:29 -06:00			`"STATE": "PUBLIC",`
			`"TITLE": "Context isolation bypass via leaked cross-context objects in Electron"`
"-Synchronized-Data." 2019-12-30 14:01:02 +00:00			`},`
add CVE-2020-4076 for GHSA-m93v-9qjc-3g79 2020-07-06 17:43:29 -06:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "electron",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": ">= 9.0.0-beta.0, <= 9.0.0-beta.20"`
			`},`
			`{`
			`"version_value": ">= 8.0.0, < 8.2.4"`
			`},`
			`{`
			`"version_value": "< 7.2.4"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "electron"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2019-12-30 14:01:02 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
add CVE-2020-4076 for GHSA-m93v-9qjc-3g79 2020-07-06 17:43:29 -06:00			`"value": "In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.\n\nApps using contextIsolation are affected.\n\nThis is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4."`
			`}`
			`]`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "HIGH",`
			`"attackVector": "LOCAL",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 7.8,`
			`"baseSeverity": "HIGH",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "NONE",`
			`"scope": "CHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-501 Trust Boundary Violation"`
			`}`
			`]`
"-Synchronized-Data." 2019-12-30 14:01:02 +00:00			`}`
			`]`
add CVE-2020-4076 for GHSA-m93v-9qjc-3g79 2020-07-06 17:43:29 -06:00			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79"`
			`},`
			`{`
			`"name": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824",`
			`"refsource": "MISC",`
			`"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"`
			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "GHSA-m93v-9qjc-3g79",`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2019-12-30 14:01:02 +00:00			`}`
			`}`