CVE-2017-16151 - Vulnerability Details

Vendors	Products
Electronjs	Electron

Link	Providers
https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix
https://nodesecurity.io/advisories/539

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "electron node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "< 1.6.14 || >= 1.7.0 < 1.7.8"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Code Injection (CWE-94)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-07T01:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/539"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16151", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "electron node module", "version": {"version_data": [{"version_value": "< 1.6.14 || >= 1.7.0 < 1.7.8"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code Injection (CWE-94)"}]}]}, "references": {"reference_data": [{"name": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix", "refsource": "MISC", "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"name": "https://nodesecurity.io/advisories/539", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/539"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:20:04.765Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/539"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16151", "datePublished": "2018-06-07T02:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-16T16:54:03.710Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : electron node module (string)

vendor : HackerOne (string)

versions : [ »

0 : { »

status : affected (string)

version : < 1.6.14 || >= 1.7.0 < 1.7.8 (string)

}

]

}

]

datePublic : 2018-04-26T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-94 (string)

description : Code Injection (CWE-94) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2018-06-07T01:57:01 (string)

orgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

shortName : hackerone (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://nodesecurity.io/advisories/539 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : support@hackerone.com (string)

DATE_PUBLIC : 2018-04-26T00:00:00 (string)

ID : CVE-2017-16151 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : electron node module (string)

version : { »

version_data : [ »

0 : { »

version_value : < 1.6.14 || >= 1.7.0 < 1.7.8 (string)

}

]

}

]

}

vendor_name : HackerOne (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Code Injection (CWE-94) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix (string)

refsource : MISC (string)

url : https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix (string)

}

1 : { »

name : https://nodesecurity.io/advisories/539 (string)

refsource : MISC (string)

url : https://nodesecurity.io/advisories/539 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T20:20:04.765Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://nodesecurity.io/advisories/539 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

assignerShortName : hackerone (string)

cveId : CVE-2017-16151 (string)

datePublished : 2018-06-07T02:00:00Z (string)

dateReserved : 2017-10-29T00:00:00 (string)

dateUpdated : 2024-09-16T16:54:03.710Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7EEDBBA6-CABB-4796-A747-E86973C6CC8B", "versionEndExcluding": "1.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled."}, {"lang": "es", "value": "En base a los detalles proporcionados por el equipo ElectronJS, se ha descubierto una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en Google Chromium que afecta a todas las versiones recientes de Electron. Cualquier aplicaci\u00f3n de Electron que acceda a contenido remoto es vulnerable a este exploit, independientemente de si la [opci\u00f3n sandbox] (https://electron.atom.io/docs/api/sandbox-option) est\u00e1 habilitada."}], "id": "CVE-2017-16151", "lastModified": "2024-11-21T03:15:55.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-07T02:29:04.487", "references": [{"source": "support@hackerone.com", "tags": ["Broken Link"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/539"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/539"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 7EEDBBA6-CABB-4796-A747-E86973C6CC8B (string)

versionEndExcluding : 1.7.8 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. (string)

}

1 : { »

lang : es (string)

value : En base a los detalles proporcionados por el equipo ElectronJS, se ha descubierto una vulnerabilidad de ejecución remota de código en Google Chromium que afecta a todas las versiones recientes de Electron. Cualquier aplicación de Electron que acceda a contenido remoto es vulnerable a este exploit, independientemente de si la [opción sandbox] (https://electron.atom.io/docs/api/sandbox-option) está habilitada. (string)

}

]

id : CVE-2017-16151 (string)

lastModified : 2024-11-21T03:15:55.420 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : true (boolean)

baseSeverity : HIGH (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 7.5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 9.8 (number)

baseSeverity : CRITICAL (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (string)

version : 3.0 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 5.9 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2018-06-07T02:29:04.487 (string)

references : [ »

0 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Broken Link (string)

]

url : https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix (string)

}

1 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://nodesecurity.io/advisories/539 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Broken Link (string)

]

url : https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://nodesecurity.io/advisories/539 (string)

}

]

sourceIdentifier : support@hackerone.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-94 (string)

}

]

source : support@hackerone.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-94 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object