GMS-2022-276: Execution with Unnecessary Privileges in arc-electron

March 3, 2022 (updated March 8, 2022)

When the end-user click on the response header that contains a link the target will be opened in ARC new window. This window will have the default preload script loaded which allows the scripts embedded in the link target to execute any logic that ARC has access to from the renderer process, which includes file system access, data store access (which may contain sensitive information), and some additional processes that only ARC should have access to.

References

github.com/advanced-rest-client/arc-electron/security/advisories/GHSA-v3wr-67px-44xg
github.com/advisories/GHSA-v3wr-67px-44xg

Code Behaviors & Features

Detect and mitigate GMS-2022-276 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →