Lucene search

K
archlinux
ArchLinuxASA-202106-47
HistoryJun 22, 2021 - 12:00 a.m.

[ASA-202106-47] vivaldi: arbitrary code execution

2021-06-2200:00:00
security.archlinux.org
165

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.0%

Arch Linux Security Advisory ASA-202106-47

Severity: High
Date : 2021-06-22
CVE-ID : CVE-2021-30554 CVE-2021-30555 CVE-2021-30556 CVE-2021-30557
Package : vivaldi
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2082

Summary

The package vivaldi before version 4.0.2312.33-1 is vulnerable to
arbitrary code execution.

Resolution

Upgrade to 4.0.2312.33-1.

pacman -Syu “vivaldi>=4.0.2312.33-1”

The problems have been fixed upstream in version 4.0.2312.33.

Workaround

None.

Description

  • CVE-2021-30554 (arbitrary code execution)

A use after free security issue has been found in the WebGL component
of the Chromium browser engine before version 91.0.4472.114. Google is
aware that an exploit for CVE-2021-30554 exists in the wild.

  • CVE-2021-30555 (arbitrary code execution)

A use after free security issue has been found in the Sharing component
of the Chromium browser engine before version 91.0.4472.114.

  • CVE-2021-30556 (arbitrary code execution)

A use after free security issue has been found in the WebAudio
component of the Chromium browser engine before version 91.0.4472.114.

  • CVE-2021-30557 (arbitrary code execution)

A use after free security issue has been found in the TabGroups
component of the Chromium browser engine before version 91.0.4472.114.

Impact

A remote attacker could execute arbitrary code through a crafted web
page. Google is aware that an exploit for one of the security issues
exists in the wild.

References

https://vivaldi.com/blog/desktop/minor-update-for-vivaldi-desktop-browser-4-0/
https://vivaldi.com/blog/desktop/minor-update-3-for-vivaldi-desktop-browser-4-0/
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html
https://crbug.com/1219857
https://crbug.com/1215029
https://crbug.com/1212599
https://crbug.com/1202102
https://security.archlinux.org/CVE-2021-30554
https://security.archlinux.org/CVE-2021-30555
https://security.archlinux.org/CVE-2021-30556
https://security.archlinux.org/CVE-2021-30557

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyvivaldi< 4.0.2312.33-1UNKNOWN
Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.0%

Related for ASA-202106-47