VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-vmzw-bf7n-sqbb

Essentials
Severities (39)
References (7)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-vmzw-bf7n-sqbb
Aliases	CVE-2022-36077 GHSA-p2jh-44qj-pf2v
Summary	Exfiltration of hashed SMB credentials on Windows via file:// redirect ### Impact When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials. ### Patches This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes: - 21.0.0-beta.1 - 20.0.1 - 19.0.11 - 18.3.7 We recommend all apps upgrade to the latest stable version of Electron. ### Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on('will-redirect')` event, for all WebContents: ```js app.on('web-contents-created', (e, webContents) => { webContents.on('will-redirect', (e, url) => { if (/^file:/.test(url)) e.preventDefault() }) }) ``` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). ### Credit Thanks to user @coolcoolnoworries for reporting this issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.5
Risk	3.2
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-522	Insufficiently Protected Credentials
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36077.json
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2022-36077
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-p2jh-44qj-pf2v
cvssv3.1	5.4	https://github.com/electron/electron
generic_textual	MODERATE	https://github.com/electron/electron
cvssv3.1	5.4	https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v
cvssv3.1	7.2	https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v
cvssv3.1_qr	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v
generic_textual	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v
ssvc	Track	https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2022-36077
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2022-36077
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2022-36077

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36077.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-36077
		https://github.com/electron/electron
		https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v
		https://nvd.nist.gov/vuln/detail/CVE-2022-36077
2141029		https://bugzilla.redhat.com/show_bug.cgi?id=2141029
GHSA-p2jh-44qj-pf2v		https://github.com/advisories/GHSA-p2jh-44qj-pf2v

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36077.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/electron/electron

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:49:23Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36077

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36077

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.23386
EPSS Score	0.00075
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:04:34.135276+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p2jh-44qj-pf2v/GHSA-p2jh-44qj-pf2v.json	37.0.0