SCA: security update for electron (GHSA-p7v2-p9m8-qqg7)

high Tenable Cloud Security Plugin ID 417381

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML
and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context
isolation bypass, meaning that code running in the main world context in the renderer can reach into the
isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed
to the main world via `contextBridge` can return an object or array that contains a javascript object
which cannot be serialized, for instance, a canvas rendering context. This would normally result in an
exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such
a case is not possible. Ensure all values returned from a function exposed over the context bridge are
supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`.
(CVE-2023-29198)

See Also

https://github.com/advisories/GHSA-p7v2-p9m8-qqg7

Plugin Details

Severity: High

ID: 417381

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-29198

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/6/2023

Vulnerability Publication Date: 9/6/2023

Reference Information

CVE: CVE-2023-29198

cwe: CWE-754