CVE-2023-49314

high

Description

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

References

https://www.electronjs.org/docs/latest/tutorial/fuses

https://www.electronjs.org/blog/statement-run-as-node-cves

https://github.com/r3ggi/electroniz3r

https://github.com/louiselalanne/CVE-2023-49314

https://github.com/electron/fuses

https://asana.com/pt/download

Details

Source: Mitre, NVD

Published: 2023-11-28

Updated: 2024-02-16

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.04333