Bug 2141029 (CVE-2022-36077) - CVE-2022-36077 Electron: Redirection error and misuse of hashed credentials
Summary: CVE-2022-36077 Electron: Redirection error and misuse of hashed credentials
Alias: CVE-2022-36077
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: Embargoed2141030
TreeView+ depends on / blocked
Reported: 2022-11-08 14:12 UTC by Sage McTaggart
Modified: 2023-01-12 07:00 UTC (History)
82 users (show)

Fixed In Version: electron 18.3.7, electron 19.0.11, electron 20.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-01-12 07:00:41 UTC

Attachments (Terms of Use)

Description Sage McTaggart 2022-11-08 14:12:09 UTC
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on('will-redirect')` event, for all WebContents as a workaround.


Comment 2 Jonny Heggheim 2022-11-18 16:45:36 UTC
Not sure why I was added to the CC

Comment 4 Product Security DevOps Team 2023-01-12 07:00:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.