CVE-2017-16151

Published: Jun 7, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled.

Affected (1)

Products: Electronjs: Electron

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Electronjs Electron	Before 1.7.8

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix

Source: support@hackerone.com

Broken Link

https://nodesecurity.io/advisories/539

Source: support@hackerone.com

Third Party Advisory

https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://nodesecurity.io/advisories/539

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.