CVE-2021-39184: Sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
First published: Tue Oct 12 2021(Updated: )
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Electronjs Electron | >=10.1.0<11.5.0 | |
| Electronjs Electron | >=12.0.0<12.1.0 | |
| Electronjs Electron | >=13.0.0<13.3.0 | |
| Electronjs Electron | =14.0.0-beta1 | |
| Electronjs Electron | =14.0.0-beta10 | |
| Electronjs Electron | =14.0.0-beta11 | |
| Electronjs Electron | =14.0.0-beta12 | |
| Electronjs Electron | =14.0.0-beta13 | |
| Electronjs Electron | =14.0.0-beta14 | |
| Electronjs Electron | =14.0.0-beta15 | |
| Electronjs Electron | =14.0.0-beta16 | |
| Electronjs Electron | =14.0.0-beta17 | |
| Electronjs Electron | =14.0.0-beta18 | |
| Electronjs Electron | =14.0.0-beta19 | |
| Electronjs Electron | =14.0.0-beta2 | |
| Electronjs Electron | =14.0.0-beta20 | |
| Electronjs Electron | =14.0.0-beta21 | |
| Electronjs Electron | =14.0.0-beta22 | |
| Electronjs Electron | =14.0.0-beta23 | |
| Electronjs Electron | =14.0.0-beta24 | |
| Electronjs Electron | =14.0.0-beta25 | |
| Electronjs Electron | =14.0.0-beta3 | |
| Electronjs Electron | =14.0.0-beta4 | |
| Electronjs Electron | =14.0.0-beta5 | |
| Electronjs Electron | =14.0.0-beta6 | |
| Electronjs Electron | =14.0.0-beta7 | |
| Electronjs Electron | =14.0.0-beta8 | |
| Electronjs Electron | =14.0.0-beta9 | |
| Electronjs Electron | =15.0.0-alpha1 | |
| Electronjs Electron | =15.0.0-alpha2 | |
| Electronjs Electron | =15.0.0-alpha3 | |
| Electronjs Electron | =15.0.0-alpha4 | |
| Electronjs Electron | =15.0.0-alpha5 | |
| Electronjs Electron | =15.0.0-alpha6 | |
| Electronjs Electron | =15.0.0-alpha7 | |
| Electronjs Electron | =15.0.0-alpha8 | |
| Electronjs Electron | =15.0.0-alpha9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-39184?
CVE-2021-39184 is a vulnerability in Electron versions prior to 11.5.0, 12.1.0, and 13.3.0 that allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system.
How severe is CVE-2021-39184?
CVE-2021-39184 has a severity rating of 8.6, which is considered high.
Which versions of Electron are affected by CVE-2021-39184?
Electron versions prior to 11.5.0, 12.1.0, and 13.3.0 are affected by CVE-2021-39184.
Is there a fix for CVE-2021-39184?
Yes, updating to Electron version 11.5.0, 12.1.0, or 13.3.0 will fix the vulnerability.
Where can I find more information about CVE-2021-39184?
You can find more information about CVE-2021-39184 in the Electron GitHub pull request and security advisories: [link1](https://github.com/electron/electron/pull/30728), [link2](https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4).
- collector/nvd-index
- agent/references
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/author
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/electronjs
- canonical/electronjs electron
- version/electronjs electron/10.1.0
- version/electronjs electron/12.0.0
- version/electronjs electron/13.0.0
- version/electronjs electron/14.0.0-beta1
- version/electronjs electron/14.0.0-beta10
- version/electronjs electron/14.0.0-beta11
- version/electronjs electron/14.0.0-beta12
- version/electronjs electron/14.0.0-beta13
- version/electronjs electron/14.0.0-beta14
- version/electronjs electron/14.0.0-beta15
- version/electronjs electron/14.0.0-beta16
- version/electronjs electron/14.0.0-beta17
- version/electronjs electron/14.0.0-beta18
- version/electronjs electron/14.0.0-beta19
- version/electronjs electron/14.0.0-beta2
- version/electronjs electron/14.0.0-beta20
- version/electronjs electron/14.0.0-beta21
- version/electronjs electron/14.0.0-beta22
- version/electronjs electron/14.0.0-beta23
- version/electronjs electron/14.0.0-beta24
- version/electronjs electron/14.0.0-beta25
- version/electronjs electron/14.0.0-beta3
- version/electronjs electron/14.0.0-beta4
- version/electronjs electron/14.0.0-beta5
- version/electronjs electron/14.0.0-beta6
- version/electronjs electron/14.0.0-beta7
- version/electronjs electron/14.0.0-beta8
- version/electronjs electron/14.0.0-beta9
- version/electronjs electron/15.0.0-alpha1
- version/electronjs electron/15.0.0-alpha2
- version/electronjs electron/15.0.0-alpha3
- version/electronjs electron/15.0.0-alpha4
- version/electronjs electron/15.0.0-alpha5
- version/electronjs electron/15.0.0-alpha6
- version/electronjs electron/15.0.0-alpha7
- version/electronjs electron/15.0.0-alpha8
- version/electronjs electron/15.0.0-alpha9