Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.GOOGLE_CHROME_55_0_2883_75.NASL
HistoryDec 02, 2016 - 12:00 a.m.

Google Chrome < 55.0.2883.75 Multiple Vulnerabilities

2016-12-0200:00:00
This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
36
JSON

The version of Google Chrome installed on the remote Windows host is prior to 55.0.2883.75. It is, therefore, affected by the following vulnerabilities :

  • A use-after-free error exists in PDFium in the Document::removeField() function within file fpdfsdk/javascript/Document.cpp when removing fields within a document. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code.
    (CVE-2016-5203)

  • A universal cross-site scripting (XSS) vulnerability exists in Blink due to improper handling of the ‘use’ SVG element when calling event listeners on a cloned node. An unauthenticated, remote attacker can exploit this to execute arbitrary script code in a user’s browser session. (CVE-2016-5204)

  • A universal cross-site scripting (XSS) vulnerability exists in Blink due to permitting frame swaps during frame detach. An unauthenticated, remote attacker can exploit this to execute arbitrary script code in a user’s browser session. (CVE-2016-5205)

  • A security bypass vulnerability exists in PDFium due to a flaw in the DocumentLoader::GetRequest() function within file pdf/document_loader.cc when handling redirects in the plugin. An unauthenticated, remote attacker can exploit this to bypass the same-origin policy. (CVE-2016-5206)

  • A universal cross-site scripting (XSS) vulnerability exists in Blink, specifically in the V8EventListener::getListenerFunction() function within file bindings/core/v8/V8EventListener.cpp, due to allowing the ‘handleEvent’ getter to run on forbidden scripts. An unauthenticated, remote attacker can exploit this to execute arbitrary script code in a user’s browser session. (CVE-2016-5207)

  • A universal cross-site scripting (XSS) vulnerability exists in Blink due to improper handling of triggered events (e.g., closing a color chooser for an input element). An unauthenticated, remote attacker can exploit this to execute arbitrary script code in a user’s browser session. (CVE-2016-5208)

  • An out-of-bounds write error exists in Blink due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5209)

  • An out-of-bounds write error exists in PDFium in the CWeightTable::GetPixelWeightSize() function within file core/fxge/dib/fx_dib_engine.cpp. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-5210)

  • An unspecified use-after-free error exists in PDFium due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code.
    (CVE-2016-5211)

  • A unspecified flaw exists in the DevTools component due to improper validation of certain URLs that allows an unauthenticated, remote attacker to disclose the content of arbitrary files. (CVE-2016-5212)

  • Multiple use-after-free errors exist in the inspector component in V8 that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5213, CVE-2016-5219)

  • A file download protection bypass vulnerability exists when downloading files that involve ‘data:’ URIs, unknown URI schemes, or overly long URLs. An unauthenticated, remote attacker can exploit this to cause a file to be downloaded without applying the mark-of-the-web. (CVE-2016-5214)

  • A use-after-free error exists in WebAudio within file content/renderer/media/renderer_webaudiodevice_impl.cc due to improper handling of web audio. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5215)

  • A use-after-free error exists in PDFium, specifically within file pdf/pdfium/pdfium_engine.cc, due to improper handling of non-visible page unloading. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5216)

  • A flaw exists in PDFium due to the use of unvalidated data by the PDF helper extension. An authenticated, remote attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-5217)

  • A flaw exists when handling chrome.tabs API navigations and displaying the pending URL. An unauthenticated, remote attacker can exploit this to spoof the Omnibox address. (CVE-2016-5218)

  • An information disclosure vulnerability exists in PDFium, due to improper handling of ‘file: navigation’, that allows an unauthenticated, remote attacker to disclose local files. (CVE-2016-5220)

  • An integer overflow condition exists in ANGLE due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-5221)

  • A flaw exists in the NavigatorImpl::NavigateToEntry() function within file frame_host/navigator_impl.cc due to improper handling of invalid URLs. An unauthenticated, remote attacker can exploit this to spoof the Omnibox address. (CVE-2016-5222)

  • An integer overflow condition exists in PDFium within file core/fpdfapi/page/cpdf_page.cpp that allows an authenticated, remote attacker to have an unspecified impact. No other details are available. (CVE-2016-5223)

  • A security bypass vulnerability exists in the SVG component due to denorm handling not being disabled before calling Skia filter code. An unauthenticated, remote attacker can exploit this to bypass the same-origin policy. (CVE-2016-5224)

  • A flaw exists in Blink, specifically in the HTMLFormElement::scheduleFormSubmission() function within file html/HTMLFormElement.cpp, due to improper enforcement of the form-action CSP (Content Security Policy). An unauthenticated, remote attacker can exploit this to bypass intended access restrictions.
    (CVE-2016-5225)

  • A cross-site scripting (XSS) vulnerability exists in Blink within file ui/views/tabs/tab_strip.cc due to improper validation of input when dropping JavaScript URLs on a tab. An unauthenticated, remote attacker can exploit this to execute arbitrary script code in a user’s browser session. (CVE-2016-5226)

  • An unspecified flaw exists that allows an unauthenticated, remote attacker to disclose Content Security Policy (CSP) referrers. (CVE-2016-9650)

  • An unspecified flaw exists in V8 within lookup.cc that allows unauthorized private property access. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-9651)

  • Multiple other vulnerabilities exist, the most serious of which can be exploited by an authenticated, remote attacker to execute arbitrary code. (CVE-2016-9652)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(95480);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2016-5203",
    "CVE-2016-5204",
    "CVE-2016-5205",
    "CVE-2016-5206",
    "CVE-2016-5207",
    "CVE-2016-5208",
    "CVE-2016-5209",
    "CVE-2016-5210",
    "CVE-2016-5211",
    "CVE-2016-5212",
    "CVE-2016-5213",
    "CVE-2016-5214",
    "CVE-2016-5215",
    "CVE-2016-5216",
    "CVE-2016-5217",
    "CVE-2016-5218",
    "CVE-2016-5219",
    "CVE-2016-5220",
    "CVE-2016-5221",
    "CVE-2016-5222",
    "CVE-2016-5223",
    "CVE-2016-5224",
    "CVE-2016-5225",
    "CVE-2016-5226",
    "CVE-2016-9650",
    "CVE-2016-9651",
    "CVE-2016-9652"
  );
  script_bugtraq_id(94633);

  script_name(english:"Google Chrome < 55.0.2883.75 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote Windows host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Google Chrome installed on the remote Windows host is
prior to 55.0.2883.75. It is, therefore, affected by the following
vulnerabilities :

  - A use-after-free error exists in PDFium in the
    Document::removeField() function within file
    fpdfsdk/javascript/Document.cpp when removing fields
    within a document. An unauthenticated, remote attacker
    can exploit this to dereference already freed memory,
    resulting in the execution of arbitrary code.
    (CVE-2016-5203)

  - A universal cross-site scripting (XSS) vulnerability
    exists in Blink due to improper handling of the 'use'
    SVG element when calling event listeners on a cloned
    node. An unauthenticated, remote attacker can exploit
    this to execute arbitrary script code in a user's
    browser session. (CVE-2016-5204)

  - A universal cross-site scripting (XSS) vulnerability
    exists in Blink due to permitting frame swaps during
    frame detach. An unauthenticated, remote attacker can
    exploit this to execute arbitrary script code in a
    user's browser session. (CVE-2016-5205)

  - A security bypass vulnerability exists in PDFium due to
    a flaw in the DocumentLoader::GetRequest() function
    within file pdf/document_loader.cc when handling
    redirects in the plugin. An unauthenticated, remote
    attacker can exploit this to bypass the same-origin
    policy. (CVE-2016-5206)

  - A universal cross-site scripting (XSS) vulnerability
    exists in Blink, specifically in the
    V8EventListener::getListenerFunction() function within
    file bindings/core/v8/V8EventListener.cpp, due to
    allowing the 'handleEvent' getter to run on forbidden
    scripts. An unauthenticated, remote attacker can exploit
    this to execute arbitrary script code in a user's
    browser session. (CVE-2016-5207)

  - A universal cross-site scripting (XSS) vulnerability
    exists in Blink due to improper handling of triggered
    events (e.g., closing a color chooser for an input
    element). An unauthenticated, remote attacker can
    exploit this to execute arbitrary script code in a
    user's browser session. (CVE-2016-5208)

  - An out-of-bounds write error exists in Blink due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    execute arbitrary code. (CVE-2016-5209)

  - An out-of-bounds write error exists in PDFium in the
    CWeightTable::GetPixelWeightSize() function within file
    core/fxge/dib/fx_dib_engine.cpp. An unauthenticated,
    remote attacker can exploit this to corrupt memory,
    resulting in a denial of service condition or the
    execution of arbitrary code. (CVE-2016-5210)

  - An unspecified use-after-free error exists in PDFium due
    to improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    corrupt memory, resulting in a denial of service
    condition or the execution of arbitrary code.
    (CVE-2016-5211)

  - A unspecified flaw exists in the DevTools component due
    to improper validation of certain URLs that allows an
    unauthenticated, remote attacker to disclose the content
    of arbitrary files. (CVE-2016-5212)

  - Multiple use-after-free errors exist in the inspector
    component in V8 that allow an unauthenticated, remote
    attacker to execute arbitrary code. (CVE-2016-5213,
    CVE-2016-5219)

  - A file download protection bypass vulnerability exists
    when downloading files that involve 'data:' URIs,
    unknown URI schemes, or overly long URLs. An
    unauthenticated, remote attacker can exploit this to
    cause a file to be downloaded without applying the
    mark-of-the-web. (CVE-2016-5214)

  - A use-after-free error exists in WebAudio within file
    content/renderer/media/renderer_webaudiodevice_impl.cc
    due to improper handling of web audio. An
    unauthenticated, remote attacker can exploit this to
    dereference already freed memory, resulting in the
    execution of arbitrary code. (CVE-2016-5215)

  - A use-after-free error exists in PDFium, specifically
    within file pdf/pdfium/pdfium_engine.cc, due to improper
    handling of non-visible page unloading. An
    unauthenticated, remote attacker can exploit this to
    dereference already freed memory, resulting in the
    execution of arbitrary code. (CVE-2016-5216)

  - A flaw exists in PDFium due to the use of unvalidated
    data by the PDF helper extension. An authenticated,
    remote attacker can exploit this to have an unspecified
    impact. No other details are available. (CVE-2016-5217)

  - A flaw exists when handling chrome.tabs API navigations
    and displaying the pending URL. An unauthenticated,
    remote attacker can exploit this to spoof the Omnibox
    address. (CVE-2016-5218)

  - An information disclosure vulnerability exists in
    PDFium, due to improper handling of 'file: navigation',
    that allows an unauthenticated, remote attacker to
    disclose local files. (CVE-2016-5220)

  - An integer overflow condition exists in ANGLE due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    have an unspecified impact. (CVE-2016-5221)

  - A flaw exists in the NavigatorImpl::NavigateToEntry()
    function within file frame_host/navigator_impl.cc due to
    improper handling of invalid URLs. An unauthenticated,
    remote attacker can exploit this to spoof the Omnibox
    address. (CVE-2016-5222)

  - An integer overflow condition exists in PDFium within
    file core/fpdfapi/page/cpdf_page.cpp that allows an
    authenticated, remote attacker to have an unspecified
    impact. No other details are available. (CVE-2016-5223)

  - A security bypass vulnerability exists in the SVG
    component due to denorm handling not being disabled
    before calling Skia filter code. An unauthenticated,
    remote attacker can exploit this to bypass the
    same-origin policy. (CVE-2016-5224)

  - A flaw exists in Blink, specifically in the
    HTMLFormElement::scheduleFormSubmission() function
    within file html/HTMLFormElement.cpp, due to improper
    enforcement of the form-action CSP (Content Security
    Policy). An unauthenticated, remote attacker can exploit
    this to bypass intended access restrictions.
    (CVE-2016-5225)

  - A cross-site scripting (XSS) vulnerability exists in
    Blink within file ui/views/tabs/tab_strip.cc due to
    improper validation of input when dropping JavaScript
    URLs on a tab. An unauthenticated, remote attacker can
    exploit this to execute arbitrary script code in a
    user's browser session. (CVE-2016-5226)

  - An unspecified flaw exists that allows an
    unauthenticated, remote attacker to disclose Content
    Security Policy (CSP) referrers. (CVE-2016-9650)

  - An unspecified flaw exists in V8 within lookup.cc that
    allows unauthorized private property access. An
    unauthenticated, remote attacker can exploit this to
    execute arbitrary code. (CVE-2016-9651)

  - Multiple other vulnerabilities exist, the most serious
    of which can be exploited by an authenticated, remote
    attacker to execute arbitrary code. (CVE-2016-9652)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bfe6e9a5");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Google Chrome version 55.0.2883.75 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9652");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:google:chrome");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("google_chrome_installed.nasl");
  script_require_keys("SMB/Google_Chrome/Installed");

  exit(0);
}

include("google_chrome_version.inc");

get_kb_item_or_exit("SMB/Google_Chrome/Installed");
installs = get_kb_list("SMB/Google_Chrome/*");

google_chrome_check_version(installs:installs, fix:'55.0.2883.75', severity:SECURITY_HOLE, xss:TRUE);
VendorProductVersionCPE
googlechromecpe:/a:google:chrome

References

Related

suse 2
nessus 13
archlinux 2
openvas 12
chrome 1
threatpost 1
gentoo 1
redhat 1
freebsd 1
mageia 1
ubuntu 1
fedora 5
debian 2
kaspersky 1
osv 1
prion 28
cve 28
ubuntucve 27
debiancve 27
redhatcve 27
packetstorm 1
zdt 1
seebug 3
myhack58 1
suse
suse
Security update for Chromium (important)
2016-12-13 13:10:29
Security update for Chromium (important)
2017-02-27 12:08:25
nessus
nessus
openSUSE Security Update : Chromium (openSUSE-2016-1453)
2016-12-14 00:00:00
RHEL 6 : chromium-browser (RHSA-2016:2919)
2016-12-08 00:00:00
FreeBSD : chromium -- multiple vulnerabilities (603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec)
2016-12-06 00:00:00
archlinux
archlinux
[ASA-201612-3] chromium: multiple issues
2016-12-03 00:00:00
[ASA-201702-2] qt5-webengine: multiple issues
2017-02-02 00:00:00
openvas
openvas
Google Chrome Security Updates (stable-channel-update-for-desktop-2016-12) - Linux
2016-12-05 00:00:00
Google Chrome Security Updates (stable-channel-update-for-desktop-2016-12) - Mac OS X
2016-12-05 00:00:00
Mageia: Security Advisory (MGASA-2016-0419)
2022-01-28 00:00:00
chrome
chrome
Stable Channel Update for Desktop
2016-12-01 00:00:00
threatpost
threatpost
Google Fixes 12 High-Severity Vulnerabilities In Chrome Browser
2016-12-02 11:45:07
gentoo
gentoo
Chromium: Multiple vulnerabilities
2016-12-05 00:00:00
redhat
redhat
(RHSA-2016:2919) Important: chromium-browser security update
2016-12-07 18:07:15
freebsd
freebsd
chromium -- multiple vulnerabilities
2016-12-01 00:00:00
mageia
mageia
Updated chromium-browser-stable packages fix security vulnerabilities
2016-12-15 23:33:35
ubuntu
ubuntu
Oxide vulnerabilities
2016-12-09 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: chromium-55.0.2883.87-1.fc24
2016-12-16 03:56:11
[SECURITY] Fedora 25 Update: chromium-55.0.2883.87-1.fc25
2016-12-16 00:32:16
[SECURITY] Fedora 26 Update: qt5-qtwebengine-5.8.0-8.fc26
2017-04-16 14:40:06
debian
debian
[SECURITY] [DSA 3731-1] chromium-browser security update
2016-12-11 20:59:42
[SECURITY] [DSA 3731-1] chromium-browser security update
2016-12-11 20:59:42
kaspersky
kaspersky
KLA10949 Multiple vulnerabilities in Google Chrome
2017-01-19 00:00:00
osv
osv
chromium-browser - security update
2016-12-11 00:00:00
prion
prion
Design/Logic Flaw
2017-01-19 05:59:00
Design/Logic Flaw
2019-01-09 19:29:00
Design/Logic Flaw
2017-01-19 05:59:00
cve
cve
CVE-2016-5224
2017-01-19 05:59:00
CVE-2016-5220
2017-01-19 05:59:00
CVE-2016-5222
2017-01-19 05:59:00
ubuntucve
ubuntucve
CVE-2016-5224
2016-12-06 00:00:00
CVE-2016-9651
2016-12-06 00:00:00
CVE-2016-5220
2017-01-19 00:00:00
debiancve
debiancve
CVE-2016-9651
2019-01-09 19:29:00
CVE-2016-5210
2017-01-19 05:59:00
CVE-2016-5220
2017-01-19 05:59:00
redhatcve
redhatcve
CVE-2016-9651
2016-12-02 08:49:04
CVE-2016-5222
2016-12-02 08:50:50
CVE-2016-5220
2016-12-02 08:50:34
packetstorm
packetstorm
Google Chrome V8 Private Property Arbitrary Code Execution
2017-06-14 00:00:00
zdt
zdt
Google Chrome - V8 Private Property Arbitrary Code Execution Exploit
2017-06-14 00:00:00
seebug
seebug
Chrome Universal XSS via fullscreen element updates (CVE-2016-5207)
2017-04-21 00:00:00
Chrome Universal XSS by intercepting a UA shadow tree(CVE-2016-5204)
2017-04-21 00:00:00
Chrome Universal XSS using an <input type="color"> element (CVE-2016-5208)
2017-04-21 00:00:00
myhack58
myhack58
The butterfly effect and the program error---a slag-hole the use-vulnerability warning-the black bar safety net
2017-06-14 00:00:00
JSON
Related for GOOGLE_CHROME_55_0_2883_75.NASL
suse2nessus13archlinux2openvas12chrome1threatpost1gentoo1redhat1freebsd1mageia1ubuntu1fedora5debian2kaspersky1osv1prion28cve28ubuntucve27debiancve27redhatcve27packetstorm1zdt1seebug3myhack581