Vulnerability CVE-2019-5838


Published: 2019-06-27

Description:
Insufficient policy enforcement in extensions API in Google Chrome prior to 75.0.3770.80 allowed an attacker who convinced a user to install a malicious extension to bypass restrictions on file URIs via a crafted Chrome Extension.

Type:

CWE-20

(Improper Input Validation)

Vendor: Opensuse
Product: Backports 
Version: sle-15;
Vendor: Google
Product: Chrome 
Version:
9.0.600.0
9.0.599.0
9.0.598.0
9.0.597.99
9.0.597.98
9.0.597.97
9.0.597.96
9.0.597.94
9.0.597.92
9.0.597.90
9.0.597.9
9.0.597.88
9.0.597.86
9.0.597.85
9.0.597.84
9.0.597.83
9.0.597.82
9.0.597.81
9.0.597.80
9.0.597.8
9.0.597.79
9.0.597.78
9.0.597.77
9.0.597.76
9.0.597.75
9.0.597.74
9.0.597.73
9.0.597.72
9.0.597.71
9.0.597.70
9.0.597.7
9.0.597.69
9.0.597.68
9.0.597.67
9.0.597.66
9.0.597.65
9.0.597.64
9.0.597.63
9.0.597.62
9.0.597.60
9.0.597.59
9.0.597.58
9.0.597.57
9.0.597.56
9.0.597.55
9.0.597.54
9.0.597.5
9.0.597.47
9.0.597.46
9.0.597.45
9.0.597.44
9.0.597.42
9.0.597.41
9.0.597.40
9.0.597.4
9.0.597.39
9.0.597.38
9.0.597.37
9.0.597.36
9.0.597.35
9.0.597.34
9.0.597.33
9.0.597.32
9.0.597.31
9.0.597.30
9.0.597.29
9.0.597.28
9.0.597.27
9.0.597.26
9.0.597.25
9.0.597.24
9.0.597.23
9.0.597.22
9.0.597.21
9.0.597.20
9.0.597.2
9.0.597.19
9.0.597.18
9.0.597.17
9.0.597.16
9.0.597.15
9.0.597.14
9.0.597.12
9.0.597.11
9.0.597.107
9.0.597.106
9.0.597.102
9.0.597.101
9.0.597.100
9.0.597.10
9.0.597.1
9.0.597.0
9.0.596.0
9.0.595.0
9.0.594.0
9.0.593.0
9.0.592.0
9.0.591.0
9.0.590.0
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html
https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.html
https://crbug.com/893087
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/

Related CVE
CVE-2019-2137
In the endCall() function of TelecomManager.java, there is a possible Denial of Service due to a missing permission check. This could lead to local denial of access to Emergency Services with User execution privileges needed. User interaction is not ...
CVE-2019-2129
In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is neede...
CVE-2019-2128
In ACELP_4t64_fx of c4t64fx.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Pr...
CVE-2019-2127
In AudioInputDescriptor::setClientActive of AudioInputDescriptor.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is no...
CVE-2019-2126
In ParseContentEncodingEntry of mkvparser.cc, there is a possible double free due to a missing reset of a freed pointer. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitat...
CVE-2019-2125
In ChangeDefaultDialerDialog.java, there is a possible escalation of privilege due to an overlay attack. This could lead to local escalation of privilege, granting privileges to a local app without the user's informed consent, with no additional priv...
CVE-2019-2122
In LockTaskController.lockKeyguardIfNeeded of the LockTaskController.java, there was a difference in the handling of the default case between the WindowManager and the Settings. This could lead to a local escalation of privilege with no additional ex...
CVE-2019-2121
In ActivityManagerService.attachApplication of ActivityManagerService, there is a possible race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitatio...

Copyright 2019, cxsecurity.com

 

Back to Top