Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.
References
Link | Resource |
---|---|
https://asana.com/pt/download | Product |
https://github.com/electron/fuses | Product |
https://github.com/louiselalanne/CVE-2023-49314 | Third Party Advisory |
https://github.com/r3ggi/electroniz3r | Product |
https://www.electronjs.org/blog/statement-run-as-node-cves | |
https://www.electronjs.org/docs/latest/tutorial/fuses | Technical Description |
https://asana.com/pt/download | Product |
https://github.com/electron/fuses | Product |
https://github.com/louiselalanne/CVE-2023-49314 | Third Party Advisory |
https://github.com/r3ggi/electroniz3r | Product |
https://www.electronjs.org/blog/statement-run-as-node-cves | |
https://www.electronjs.org/docs/latest/tutorial/fuses | Technical Description |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 08:33
Type | Values Removed | Values Added |
---|---|---|
References | () https://asana.com/pt/download - Product | |
References | () https://github.com/electron/fuses - Product | |
References | () https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory | |
References | () https://github.com/r3ggi/electroniz3r - Product | |
References | () https://www.electronjs.org/blog/statement-run-as-node-cves - | |
References | () https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description |
16 Feb 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Jan 2024, 20:55
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
04 Dec 2023, 19:02
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description | |
References | () https://asana.com/pt/download - Product | |
References | () https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory | |
References | () https://github.com/electron/fuses - Product | |
References | () https://github.com/r3ggi/electroniz3r - Product | |
CPE | cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* cpe:2.3:a:asana:desktop:2.1.0:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CWE | CWE-94 |
28 Nov 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-28 15:15
Updated : 2024-11-21 08:33
NVD link : CVE-2023-49314
Mitre link : CVE-2023-49314
CVE.ORG link : CVE-2023-49314
JSON object : View
Products Affected
asana
- desktop
apple
- macos
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')