GoogleOSV:CVE-2022-2164

HistoryJul 28, 2022 - 1:15 a.m.

CVE-2022-2164

2022-07-2801:15:17

Google

osv.dev

google chrome

insecure extension

access control

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

48.2%

JSON

Inappropriate implementation in Extensions API in Google Chrome prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted HTML page.

References

chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop_21.html

crbug.com/1268445

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BQRTR4SIUNIHLLPWTGYSDNQK7DYCRSB/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H2C4XOJVIILDXTOSMWJXHSQNEXFWSOD7/

security.gentoo.org/glsa/202208-25