electron-packager

SSL Validation Defaults to False

Severity: low

Overview

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Remediation

  1. Update to version 7.0.0 or later.
  2. Delete the electron-download cache folder, which is by default located at ~/.electron.

Vulnerable versions

5.2.1
3 years ago
6.0.0
2 years ago
6.0.1
2 years ago
6.0.2
2 years ago

Unaffected versions

3.0.0
3 years ago
3.1.0
3 years ago
3.2.0
3 years ago
3.3.0
3 years ago
3.4.0
3 years ago
4.0.0
3 years ago
4.0.1
3 years ago
4.0.2
3 years ago
4.0.3
3 years ago
4.1.0
3 years ago
4.1.1
3 years ago
4.1.2
3 years ago
4.1.3
3 years ago
4.2.0
3 years ago
5.0.0
3 years ago
5.0.1
3 years ago
5.0.2
3 years ago
5.1.0
3 years ago
5.1.1
3 years ago
5.2.0
3 years ago
7.0.0
2 years ago
7.0.1
2 years ago
7.0.2
2 years ago
7.0.3
2 years ago
7.0.4
2 years ago
7.1.0
2 years ago
7.2.0
2 years ago
7.3.0
2 years ago
7.4.0
2 years ago
7.5.0
2 years ago
7.5.1
2 years ago
7.6.0
2 years ago
7.7.0
2 years ago
8.0.0
2 years ago
8.1.0
2 years ago
8.2.0
2 years ago
8.3.0
2 years ago
8.4.0
2 years ago
8.5.0
2 years ago
8.5.1
2 years ago
8.5.2
a year ago
8.6.0
a year ago
8.7.0
a year ago
8.7.1
a year ago
8.7.2
a year ago
9.0.0
a year ago
9.0.1
a year ago
9.1.0
a year ago
10.0.0
9 months ago
10.1.0
9 months ago
10.1.1
7 months ago
10.1.2
7 months ago
11.0.0
6 months ago
11.0.1
6 months ago
11.1.0
5 months ago
11.2.0
5 months ago
12.0.0
4 months ago
12.0.1
4 months ago
12.0.2
3 months ago
12.1.0
3 months ago

Resources

Advisory timeline

  1. Published

    Advisory published
    Apr 22nd, 2016
  2. Reported

    Initial report by Mark Lee
    Apr 21st, 2016