Lucene search

K
kasperskyKaspersky LabKLA11550
HistorySep 10, 2019 - 12:00 a.m.

KLA11550 Multiple vulnerabilities in Google Chrome

2019-09-1000:00:00
Kaspersky Lab
threats.kaspersky.com
69

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.003

Percentile

66.0%

Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, bypass security restrictions and spoof user interface.

Below is a complete list of vulnerabilities:

  1. Use-after-free vulnerability in media component can be exploited to execute arbitrary code;
  2. Heap overflow vulnerability in Mojo component can be exploited to execute arbitrary code;
  3. Unspecified vulnerability can be exploited via trigger other browser to bypass security restrictions;
  4. URL bar spoof vulnerability can be exploited via download redirect to spoof user interface;
  5. Out-of-bounds access vulnerability in V8 component can be exploited to bypass security restrictions;
  6. Use-after-free vulnerability in V8 component can be exploited to execute arbitrary code;
  7. Unspecified vulnerability can be exploited via bypass same origin policy to bypass security restrictions;
  8. Unspecified vulnerability can be exploited via SameSite cookie bypass to bypass security restrictions;
  9. Unspecified vulnerability in SwiftShader component can be exploited via arbitrary read to bypass security restrictions;
  10. Unspecified vulnerability can be exploited via URL spoof to spoof user interface;
  11. Unspecified vulnerability can be exploited via full screen notification overlap to bypass security restrictions;
  12. Unspecified vulnerability can be exploited via CSP spoof to spoof user interface;
  13. Unspecified vulnerability can be exploited via full screen notification spoof to spoof user interface;
  14. Unspecified vulnerability can be exploited via IDN spoof to spoof user interface;
  15. Unspecified vulnerability can be exploited via CSRF bypass to bypass security restrictions;
  16. Unspecified vulnerability can be exploited via multiple file download to bypass security restrictions;
  17. Unspecified vulnerability can be exploited via using storage size estimate by side channel to bypass security restrictions;
  18. URI bar spoofing vulnerability can be exploited via using external app URIs to spoof user interface;
  19. Unspecified vulnerability can be exploited via global window leak via console to bypass security restrictions;
  20. Unspecified vulnerability can be exploited via HTTP authentication spoof to spoof user interface;
  21. Memory corruption vulnerability in V8 component can be exploited to execute arbitrary code;
  22. Unspecified vulnerability can be exploited via dialog box failing to show origin to bypass security restrictions;
  23. Unspecified vulnerability can be exploited via cross-origin information leak using devtools to bypass security restrictions;
  24. Unspecified vulnerability can be exploited via extensions disable by trailing slash to bypass security restrictions;
  25. Unspecified vulnerability can be exploited via shown for certificate warning to bypass security restrictions;
  26. Unspecified vulnerability can be exploited to bypass security restrictions;
  27. Unspecified vulnerability can be exploited via download dialog spoofing to spoof user interface;
  28. Unspecified vulnerability can be exploited via IP address spoofing to servers to spoof user interface;
  29. Unspecified vulnerability can be exploited via downloading to bypass security restrictions;
  30. Unspecified vulnerability can be exploited via site isolation bypass to bypass security restrictions;
  31. Unspecified vulnerability can be exploited via exceptions leaked by devtools to bypass security restrictions;

Original advisories

Stable Channel Update for Desktop

Related products

Google-Chrome

CVE list

CVE-2019-5870 high

CVE-2019-5871 high

CVE-2019-5872 warning

CVE-2019-5873 warning

CVE-2019-5874 high

CVE-2019-5875 warning

CVE-2019-5876 high

CVE-2019-5877 high

CVE-2019-5878 high

CVE-2019-5879 warning

CVE-2019-5880 warning

CVE-2019-5881 high

CVE-2019-13659 warning

CVE-2019-13660 warning

CVE-2019-13661 warning

CVE-2019-13662 warning

CVE-2019-13663 warning

CVE-2019-13664 warning

CVE-2019-13665 warning

CVE-2019-13666 warning

CVE-2019-13667 warning

CVE-2019-13668 warning

CVE-2019-13669 warning

CVE-2019-13670 warning

CVE-2019-13671 warning

CVE-2019-13673 warning

CVE-2019-13674 warning

CVE-2019-13675 warning

CVE-2019-13676 warning

CVE-2019-13677 warning

CVE-2019-13678 warning

CVE-2019-13679 warning

CVE-2019-13680 warning

CVE-2019-13681 warning

CVE-2019-13682 high

CVE-2019-13683 warning

CVE-2019-13691 warning

CVE-2019-13692 high

CVE-2019-13766 warning

Solution

Update to the latest version

Google Chrome download page

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Google Chrome prior to 77.0.3865.75

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.003

Percentile

66.0%