Cyber Resilience

CVE-2021-39184

Medium

Published: 12 October 2021

Published
12 October 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0037 59.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-39184 is a medium-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Electronjs Electron. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 41.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's…

more

system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

electronjs
electron
14.0.0, 15.0.0 · 10.1.0 — 11.5.0 · 12.0.0 — 12.1.0 · 13.0.0 — 13.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862 CWE-668

Mandates authorization checks before permitting access or data processing via external systems.

addresses: CWE-862 CWE-668

The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.

addresses: CWE-668 CWE-862

Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.

addresses: CWE-862 CWE-668

Requiring explicit authorization for each internal connection prevents missing authorization.

addresses: CWE-668 CWE-862

Asset tracking reveals resources that have inadvertently entered an unintended security sphere, permitting corrective isolation.

addresses: CWE-668 CWE-862

Enforces separation so resources are not placed in a public sphere without explicit protection.

addresses: CWE-668 CWE-862

The control ensures resources are not exposed outside their intended security domain by filtering transfers at the domain boundary.

addresses: CWE-668 CWE-862

Internal resources are kept in separate network spheres from externally accessible components.

References