Vulnerability Description
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Electronjs | Electron | < 6.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrgThird Party Advisory
- https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824Release NotesVendor Advisory
- https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrgThird Party Advisory
- https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824Release NotesVendor Advisory
FAQ
What is CVE-2020-15096?
CVE-2020-15096 is a vulnerability with a CVSS score of 6.8 (MEDIUM). In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated ...
How severe is CVE-2020-15096?
CVE-2020-15096 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15096?
Check the references section above for vendor advisories and patch information. Affected products include: Electronjs Electron.