CVE-2024-27303 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-27303 at MITRE

Description

electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. Version 24.13.2 fixes this issue. No known workaround exists. The code executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having not set severity.

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`teleport >= 15.1.6-1.1` `teleport-tbot >= 15.1.6-1.1` `teleport-tctl >= 15.1.6-1.1` `teleport-tsh >= 15.1.6-1.1`	Patchnames: openSUSE Tumbleweed GA teleport-15.1.6-1.1

SUSE Timeline for this CVE

CVE page created: Wed Mar 6 21:00:09 2024
CVE page last modified: Mon Mar 18 00:41:55 2024