CVE-2018-1000006

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 25-01-2018 12:29

Last modified: - 03-10-2022 05:45

Total changes: - 2

Description

GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.

Common Vulnerability Scoring System (CVSS)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

Required

User interaction

8.8

Base score

2.8

5.9

Exploitability score

Impact score

Verification logic

Reference

https://github.com/electron/electron/releases/tag/v1.8.2-beta.4
https://medium.com/@Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
102796-Third Party Advisory, VDB Entry
43899-Exploit, Third Party Advisory, VDB Entry
https://electronjs.org/blog/protocol-handler-fix
44357-

Keywords

CVE-2018-1000006

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-1000006

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures