CVE-2023-49314

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:asana:desktop:2.1.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:33

Type Values Removed Values Added
References () https://asana.com/pt/download - Product () https://asana.com/pt/download - Product
References () https://github.com/electron/fuses - Product () https://github.com/electron/fuses - Product
References () https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory () https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory
References () https://github.com/r3ggi/electroniz3r - Product () https://github.com/r3ggi/electroniz3r - Product
References () https://www.electronjs.org/blog/statement-run-as-node-cves - () https://www.electronjs.org/blog/statement-run-as-node-cves -
References () https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description () https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description

16 Feb 2024, 16:15

Type Values Removed Values Added
References
  • () https://www.electronjs.org/blog/statement-run-as-node-cves -

29 Jan 2024, 20:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 7.8

04 Dec 2023, 19:02

Type Values Removed Values Added
References () https://www.electronjs.org/docs/latest/tutorial/fuses - () https://www.electronjs.org/docs/latest/tutorial/fuses - Technical Description
References () https://asana.com/pt/download - () https://asana.com/pt/download - Product
References () https://github.com/louiselalanne/CVE-2023-49314 - () https://github.com/louiselalanne/CVE-2023-49314 - Third Party Advisory
References () https://github.com/electron/fuses - () https://github.com/electron/fuses - Product
References () https://github.com/r3ggi/electroniz3r - () https://github.com/r3ggi/electroniz3r - Product
CPE cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:a:asana:desktop:2.1.0:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CWE CWE-94

28 Nov 2023, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-28 15:15

Updated : 2024-11-21 08:33


NVD link : CVE-2023-49314

Mitre link : CVE-2023-49314

CVE.ORG link : CVE-2023-49314


JSON object : View

Products Affected

asana

  • desktop

apple

  • macos
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')