CVE-2017-16151 - OpenCVE

Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Electronjs	Electron

Configuration 1 [-]

cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix
https://nodesecurity.io/advisories/539

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-06-07T02:00:00Z

Updated: 2024-09-16T16:54:03.710Z

Reserved: 2017-10-29T00:00:00

Link: CVE-2017-16151

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-07T02:29:04.487

Modified: 2019-10-09T23:24:51.487

Link: CVE-2017-16151

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "electron node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "< 1.6.14 || >= 1.7.0 < 1.7.8"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Code Injection (CWE-94)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-07T01:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/539"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16151", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "electron node module", "version": {"version_data": [{"version_value": "< 1.6.14 || >= 1.7.0 < 1.7.8"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code Injection (CWE-94)"}]}]}, "references": {"reference_data": [{"name": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix", "refsource": "MISC", "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"name": "https://nodesecurity.io/advisories/539", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/539"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:20:04.765Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/539"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16151", "datePublished": "2018-06-07T02:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-16T16:54:03.710Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7EEDBBA6-CABB-4796-A747-E86973C6CC8B", "versionEndExcluding": "1.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled."}, {"lang": "es", "value": "En base a los detalles proporcionados por el equipo ElectronJS, se ha descubierto una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en Google Chromium que afecta a todas las versiones recientes de Electron. Cualquier aplicaci\u00f3n de Electron que acceda a contenido remoto es vulnerable a este exploit, independientemente de si la [opci\u00f3n sandbox] (https://electron.atom.io/docs/api/sandbox-option) est\u00e1 habilitada."}], "id": "CVE-2017-16151", "lastModified": "2019-10-09T23:24:51.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-07T02:29:04.487", "references": [{"source": "support@hackerone.com", "tags": ["Broken Link"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/539"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "support@hackerone.com", "type": "Secondary"}]}