Kaspersky LabKLA11129KLA11129 Multiple vulnerabilities in Google Chrome
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
89.6%
Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to cause a denial of service, bypass security restrictions, spoof user interface, execute arbitrary code, escalate privileges, obtain sensitive information and perform cross-site scripting attack.
Below is a complete list of vulnerabilities:
- A use after free in IndexedDB component can be exploited remotely by an unauthenticated attacker to cause denial of service;
- Insufficient validation of untrusted input in PPAPI Plugins component can be exploited remotely by an unauthenticated attacker to bypass security restrictions;
- Inappropriate implementation in modal dialog handling in Blink component can be exploited remotely by an unauthenticated attacker to spoof user interface;
- Type confusion in extensions JavaScript can be exploited remotely by an unauthenticated attacker to bypass security restrictions;
- Stack overflow in PDFium component can be exploited remotely by an unauthenticated attacker to execute arbitrary code;
- Insufficient policy enforcement during navigation can be exploited remotely by an unauthenticated attacker to perform a universal cross-site scripting attack;
- Insufficient validation of untrusted input in Skia component can be exploited remotely by an unauthenticated attacker to cause denial of service;
- A use after free in V8 component can be exploited remotely by an unauthenticated attacker to cause denial of service;
- Insufficient validation of untrusted input in PPAPI Plugins component can be exploited remotely by an unauthenticated attacker to escalate privilege;
- A use after free in Apps component can be exploited remotely by an unauthenticated attacker to cause denial of service;
- Inappropriate implementation in Omnibox component can be exploited remotely by an unauthenticated attacker to spoof user interface;
- Use of an uninitialized value in Skia component can be exploited remotely by an unauthenticated attacker to obtain sensitive information;
- Inappropriate implementation in interstitials can be exploited remotely by an unauthenticated attacker to spoof user interface;
- Insufficient Policy Enforcement in Omnibox component can be exploited remotely by an unauthenticated attacker to spoof user interface;
- A timing attack in SVG rendering can be exploited remotely by an unauthenticated attacker to perform a universal cross-site scripting attack;
- Type confusion in PDFium component can be exploited remotely by an unauthenticated attacker to bypass security restrictions;
- Inappropriate implementation of unload handler handling in permission prompts can be exploited remotely by an unauthenticated attacker to spoof user interface;
- Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments component can be exploited remotely by an unauthenticated attacker to spoof user interface;
Technical details
NB: This vulnerability does not have any public CVSS rating, so rating can be changed by the time.
Original advisories
Stable Channel Update for Desktop
Related products
CVE list
CVE-2017-5108 high
CVE-2017-5109 warning
CVE-2017-5110 warning
CVE-2017-5091 high
CVE-2017-5092 high
CVE-2017-5093 warning
CVE-2017-5094 warning
CVE-2017-5095 high
CVE-2017-5096 warning
CVE-2017-5097 high
CVE-2017-5098 high
CVE-2017-5099 high
CVE-2017-5100 high
CVE-2017-5101 warning
CVE-2017-5102 warning
CVE-2017-5103 warning
CVE-2017-5104 warning
CVE-2017-5105 warning
CVE-2017-5106 warning
CVE-2017-5107 warning
Solution
Update to the latest version
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- PE
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
- XSS/CSS
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
- SUI
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.
Affected Products
- Google Chrome versions earlier than 60.0.3112.78
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
89.6%