ASA-2019-00646 – Electron: Chromium WebAudio Use-After-Free Vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00646

Identifier(s)

ASA-2019-00646, CVE-2019-13720

Title

Chromium WebAudio Use-After-Free Vulnerability

Vendor(s)

GitHub Inc

Product(s)

Electron

Affected version(s)

Electron versions before 6.1.4

Fixed version(s)

Electron version 6.1.4

Proof of concept

Yes

Description

A vulnerability has been discovered in Chrome which affects all software based on Chromium, including Electron.

Use-after-free in WebAudio in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Technical details

Unknown

Credits

Anton Ivanov and Alexey Kulaev (Kaspersky Labs)

Reference(s)

Chromium WebAudio Vulnerability Fix (CVE-2019-13720) | Electron Blog
https://electronjs.org/blog/cve-2019-13720

Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html

CVE-2019-13720 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-13720

CVE-2019-13720 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13720.html

CVE-2019-13720
https://security-tracker.debian.org/tracker/CVE-2019-13720

CVE-2019-13720 | SUSE
https://www.suse.com/security/cve/CVE-2019-13720

CVE-2019-13720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13720

CVE-2019-13720
https://nvd.nist.gov/vuln/detail/CVE-2019-13720

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 9, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.