ArchLinuxASA-201806-4[ASA-201806-4] chromium: access restriction bypass
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
39.3%
Arch Linux Security Advisory ASA-201806-4
Severity: High
Date : 2018-06-07
CVE-ID : CVE-2018-6148
Package : chromium
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-712
Summary
The package chromium before version 67.0.3396.79-1 is vulnerable to
access restriction bypass.
Resolution
Upgrade to 67.0.3396.79-1.
pacman -Syu “chromium>=67.0.3396.79-1”
The problem has been fixed upstream in version 67.0.3396.79.
Workaround
None.
Description
An incorrect handling of CSP header has been found in chromium before
67.0.3396.79.
Impact
A remote attacker can bypass the content security policy.
References
https://chromereleases.googleblog.com/2018/06/stable-channel-update-for-desktop.html
https://crbug.com/845961
https://security.archlinux.org/CVE-2018-6148
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
39.3%