CVE-2016-1202

low-risk

Published 2016-04-25

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (1)

Electron

Affected Vendors

Atom

References (8)

Vendor Advisory http://jvn.jp/en/jp/JVN00324715/index.html

Vendor Advisory http://jvndb.jvn.jp/jvndb/JVNDB-2016-000054

https://github.com/electron/electron/commit/9a2e2b365d061ec10cd861391fd5b1344af7...

https://github.com/electron/electron/pull/2976

Vendor Advisory http://jvn.jp/en/jp/JVN00324715/index.html

Vendor Advisory http://jvndb.jvn.jp/jvndb/JVNDB-2016-000054

https://github.com/electron/electron/commit/9a2e2b365d061ec10cd861391fd5b1344af7...

https://github.com/electron/electron/pull/2976

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal