Vulnerability Description
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atom | Electron | 1.8.2 |
| Microsoft | Windows 10 | - |
| Microsoft | Windows 7 | - |
| Microsoft | Windows Server 2008 | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/102796Third Party AdvisoryVDB Entry
- https://electronjs.org/blog/protocol-handler-fixMitigationThird Party Advisory
- https://github.com/electron/electron/releases/tag/v1.8.2-beta.4PatchThird Party Advisory
- https://medium.com/%40Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c37
- https://www.exploit-db.com/exploits/43899/ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/44357/
- http://www.securityfocus.com/bid/102796Third Party AdvisoryVDB Entry
- https://electronjs.org/blog/protocol-handler-fixMitigationThird Party Advisory
- https://github.com/electron/electron/releases/tag/v1.8.2-beta.4PatchThird Party Advisory
- https://medium.com/%40Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c37
- https://www.exploit-db.com/exploits/43899/ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/44357/
FAQ
What is CVE-2018-1000006?
CVE-2018-1000006 is a vulnerability with a CVSS score of 8.8 (HIGH). GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that ...
How severe is CVE-2018-1000006?
CVE-2018-1000006 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000006?
Check the references section above for vendor advisories and patch information. Affected products include: Atom Electron, Microsoft Windows 10, Microsoft Windows 7, Microsoft Windows Server 2008.