Main Vulnerability Database SB2018060726

SB2018060726 - Code Injection in Electron Electron

Published: June 7, 2018 Updated: July 17, 2020

Security Bulletin ID SB2018060726

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: CVE-2017-16151)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled.

Remediation

Install update from vendor's website.

References

https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix
https://nodesecurity.io/advisories/539