SCA: security update for electron (GHSA-mq8j-3h7h-p8g7)

critical Tenable Self-Hosted Container Security Plugin ID 417086

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and
CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with
JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in
turn allows effective access to `ipcRenderer`. The `nodeIntegrationInSubFrames` option does not implicitly
grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed,
then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs, which include
`ipcRenderer`. If the application then additionally exposes IPC messages without IPC `senderFrame`
validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in
turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6,
17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message
handlers appropriately validate `senderFrame`. (CVE-2022-29247)

See Also

https://github.com/advisories/GHSA-mq8j-3h7h-p8g7

Plugin Details

Severity: Critical

ID: 417086

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-29247

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/16/2022

Vulnerability Publication Date: 6/13/2022

Reference Information

CVE: CVE-2022-29247

cwe: CWE-668