Lucene search

K
archlinuxArchLinuxASA-202101-20
HistoryJan 12, 2021 - 12:00 a.m.

[ASA-202101-20] vivaldi: multiple issues

2021-01-1200:00:00
security.archlinux.org
109
vivaldi browser
security issues
arbitrary code execution
access restriction bypass
insufficient validation

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.01

Percentile

84.2%

Arch Linux Security Advisory ASA-202101-20

Severity: High
Date : 2021-01-12
CVE-ID : CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107
CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111
CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115
CVE-2021-21116
Package : vivaldi
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1424

Summary

The package vivaldi before version 3.5.2115.87-1 is vulnerable to
multiple issues including access restriction bypass, arbitrary code
execution and insufficient validation.

Resolution

Upgrade to 3.5.2115.87-1.

pacman -Syu “vivaldi>=3.5.2115.87-1”

The problems have been fixed upstream in version 3.5.2115.87.

Workaround

None.

Description

  • CVE-2020-15995 (arbitrary code execution)

An out of bounds write security issue has been found in the V8
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2020-16043 (insufficient validation)

An insufficient data validation security issue has been found in the
networking component of the Chromium browser before version
87.0.4280.141.

  • CVE-2021-21106 (arbitrary code execution)

A use after free security issue has been found in the autofill
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21107 (arbitrary code execution)

A use after free security issue has been found in the drag and drop
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21108 (arbitrary code execution)

A use after free security issue has been found in the media component
of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21109 (arbitrary code execution)

A use after free security issue has been found in the payments
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21110 (arbitrary code execution)

A use after free security issue has been found in the safe browsing
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21111 (access restriction bypass)

An insufficient policy enforcement security issue has been found in the
WebUI component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21112 (arbitrary code execution)

A use after free security issue has been found in the Blink component
of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21113 (arbitrary code execution)

A heap buffer overflow security issue has been found in the Skia
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21114 (arbitrary code execution)

A use after free security issue has been found in the audio component
of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21115 (arbitrary code execution)

A use after free security issue has been found in the safe browsing
component of the Chromium browser before version 87.0.4280.141.

  • CVE-2021-21116 (arbitrary code execution)

A heap buffer overflow security issue has been found in the audio
component of the Chromium browser before version 87.0.4280.141.

Impact

A remote attacker might be able to bypass security restrictions and
execute arbitrary code.

References

https://vivaldi.com/blog/desktop/minor-update-for-vivaldi-desktop-browser-3-5/
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html
https://crbug.com/1157790
https://crbug.com/1148309
https://crbug.com/1148749
https://crbug.com/1153595
https://crbug.com/1155426
https://crbug.com/1152334
https://crbug.com/1152451
https://crbug.com/1149125
https://crbug.com/1151298
https://crbug.com/1155178
https://crbug.com/1150065
https://crbug.com/1157814
https://crbug.com/1151069
https://security.archlinux.org/CVE-2020-15995
https://security.archlinux.org/CVE-2020-16043
https://security.archlinux.org/CVE-2021-21106
https://security.archlinux.org/CVE-2021-21107
https://security.archlinux.org/CVE-2021-21108
https://security.archlinux.org/CVE-2021-21109
https://security.archlinux.org/CVE-2021-21110
https://security.archlinux.org/CVE-2021-21111
https://security.archlinux.org/CVE-2021-21112
https://security.archlinux.org/CVE-2021-21113
https://security.archlinux.org/CVE-2021-21114
https://security.archlinux.org/CVE-2021-21115
https://security.archlinux.org/CVE-2021-21116

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyvivaldi< 3.5.2115.87-1UNKNOWN

References

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.01

Percentile

84.2%