CVE-2023-49314

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

sana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

References

Link	Resource
https://asana.com/pt/download	Product
https://github.com/electron/fuses	Product
https://github.com/louiselalanne/CVE-2023-49314	Third Party Advisory
https://github.com/r3ggi/electroniz3r	Product
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses	Technical Description
https://asana.com/pt/download	Product
https://github.com/electron/fuses	Product
https://github.com/louiselalanne/CVE-2023-49314	Third Party Advisory
https://github.com/r3ggi/electroniz3r	Product
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses	Technical Description

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:asana:desktop:2.1.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:33

Type	Values Removed	Values Added
References	~~() https://asana.com/pt/download - Product~~	() https://asana.com/pt/download - Product
References	~~() https://github.com/electron/fuses - Product~~	() https://github.com/electron/fuses - Product
References	~~() https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory~~	() https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory
References	~~() https://github.com/r3ggi/electroniz3r - Product~~	() https://github.com/r3ggi/electroniz3r - Product
References	~~() https://www.electronjs.org/blog/statement-run-as-node-cves -~~	() https://www.electronjs.org/blog/statement-run-as-node-cves -
References	~~() https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description~~	() https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description

Information

Published : 2023-11-28 15:15

Updated : 2024-11-21 08:33

NVD link : CVE-2023-49314

Mitre link : CVE-2023-49314

CVE.ORG link : CVE-2023-49314

JSON object : View

Products Affected

apple

macos

asana

desktop

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.8 /10