CVE-2021-28154

Name of the Vulnerable Software and Affected Versions: Camunda Modeler versions through 4.6.0

Description: The issue allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. The vendor states that the app is secured in a way that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, and no remote sites to be browsed.

Recommendations: For Camunda Modeler versions through 4.6.0, consider disabling the ipcRenderer IPC interface as a temporary workaround until a patch is available. Restrict access to the readFile and writeFile APIs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.