CVE-2021-39184
Information Disclosure vulnerability in electron (npm)
What is CVE-2021-39184 About?
This vulnerability in Electron allows a sandboxed renderer to request a thumbnail image of an arbitrary local file, potentially disclosing significant portions of the file's content. Exploitation is plausible if an attacker can control the renderer's actions. The impact can include unauthorized access to sensitive local data.
Affected Software
- electron
- >13.0.0, <13.3.0
- <11.5.0
- >12.0.0, <12.1.0
Technical Details
The vulnerability lies within Electron's createThumbnailFromPath API, which is intended to generate thumbnails from local files. A sandboxed renderer, typically restricted from direct file system access, is unexpectedly able to call this API with arbitrary file paths on the user's system. When createThumbnailFromPath is invoked with a path to a non-image file (e.g., a text document or configuration file), it attempts to process its content to generate a thumbnail. In many cases, this process involves reading the file and may embed significant portions of its raw data, including textual content, into the generated thumbnail image. An attacker controlling the renderer can then exfiltrate this thumbnail, thereby disclosing information from otherwise inaccessible local files.
What is the Impact of CVE-2021-39184?
Successful exploitation may allow attackers to access and potentially exfiltrate sensitive data from local files on the user's system, leading to information disclosure or further compromise.
What is the Exploitability of CVE-2021-39184?
Exploitation requires controlling a sandboxed renderer process and invoking the createThumbnailFromPath API with a desired file path, making its complexity moderate. No specific authentication is explicitly detailed, but successful exploitation hinges on compromising or gaining control within the sandboxed renderer. Privilege requirements are elevated once inside the renderer to call this specific API. It is a local vulnerability in the context of the renderer, but the initial compromise of the renderer could be remote (e.g., via a malicious website loaded by Electron). Special conditions include the renderer not having context isolation enabled or the createThumbnailFromPath API not being disabled. Risk factors increase when Electron applications load untrusted content within their renderers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39184?
Available Upgrade Options
- electron
- <11.5.0 → Upgrade to 11.5.0
- electron
- >12.0.0, <12.1.0 → Upgrade to 12.1.0
- electron
- >13.0.0, <13.3.0 → Upgrade to 13.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/electron/electron/pull/30728
- https://nvd.nist.gov/vuln/detail/CVE-2021-39184
- https://github.com/electron/electron/pull/30728
- https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4
- https://github.com/electron/electron/pull/30728/commits/8fed645bd671f359ee52d806c075ec4e07eda17f
- https://github.com/electron/electron
- https://osv.dev/vulnerability/GHSA-mpjm-v997-c4h4
- https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4
What are Similar Vulnerabilities to CVE-2021-39184?
Similar Vulnerabilities: CVE-2018-16472 , CVE-2019-18342 , CVE-2020-15104 , CVE-2020-15105 , CVE-2021-26490
