CVE-2022-29247

描述

### Impact This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. Please note the misleadingly named `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access rather it depends on the existing `sandbox` setting. If your application is sandboxed then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs (which includes `ipcRenderer`). If your application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled. ### Patches This has been patched and the following Electron versions contain the fix: * `18.0.0-beta.6` * `17.2.0` * `16.2.6` * `15.5.5` ### Workarounds Ensure that all IPC message handlers appropriately validate `senderFrame` as per our [security tutorial here](https://github.com/electron/electron/blob/main/docs/tutorial/security.md#17-validate-the-sender-of-all-ipc-messages). ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]).

受影響套件(1)

• npm/electronfrom 0, < 15.5.5

CVSS 分數

參考連結(3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-29247
• PATCHhttps://github.com/electron/electron
• WEBhttps://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7