SB2021031228 - Fedora EPEL 8 update for chromium

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021031228

SB2021031228 - Fedora EPEL 8 update for chromium

Published: March 12, 2021

Security Bulletin ID SB2021031228
Severity
Critical
Patch available
YES
Number of vulnerabilities 41
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 2% High 41% Medium 34% Low 22%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 41 secuirty vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2021-21162)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


2) Use-after-free (CVE-ID: CVE-2021-21180)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within tab search in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.


3) Input validation error (CVE-ID: CVE-2021-21164)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in iOSWeb in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.


4) Spoofing attack (CVE-ID: CVE-2021-21170)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Loader in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.


5) Cryptographic issues (CVE-ID: CVE-2021-21181)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to side-channel information leak in autofill. Chrome Medium. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.


6) Improper control of a resource through its lifetime (CVE-ID: CVE-2021-21166)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild.


7) Heap-based buffer overflow (CVE-ID: CVE-2021-21160)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebAudio. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


8) Use-after-free (CVE-ID: CVE-2021-21179)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Network Internals in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.


9) Input validation error (CVE-ID: CVE-2021-21187)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in URL formatting in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


10) Cryptographic issues (CVE-ID: CVE-2021-21173)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to side-channel information leak in Network Internals. Chrome Medium. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.


11) Improperly implemented security check for standard (CVE-ID: CVE-2021-21174)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Referrer in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


12) Improperly implemented security check for standard (CVE-ID: CVE-2021-21183)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in performance APIs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


13) Heap-based buffer overflow (CVE-ID: CVE-2021-21161)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in TabStrip. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


14) Spoofing attack (CVE-ID: CVE-2021-21171)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in TabStrip and Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.


15) Improperly implemented security check for standard (CVE-ID: CVE-2021-21178)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Compositing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


16) Improper control of a resource through its lifetime (CVE-ID: CVE-2021-21169)

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.


17) Input validation error (CVE-ID: CVE-2021-21163)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in Reader Mode in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.


18) Improperly implemented security check for standard (CVE-ID: CVE-2021-21175)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Site isolation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


19) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21177)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Autofill in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


20) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21185)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in extensions in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


21) Use of uninitialized resource (CVE-ID: CVE-2021-21190)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized resources in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.


22) Improperly implemented security check for standard (CVE-ID: CVE-2021-21184)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in performance APIs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


23) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21168)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in appcache in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


24) Use-after-free (CVE-ID: CVE-2021-21167)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within bookmarks in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.


25) Use-after-free (CVE-ID: CVE-2021-21188)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use-after-free error in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.


26) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21172)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


27) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21182)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in navigations in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


28) Improperly implemented security check for standard (CVE-ID: CVE-2021-21176)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in full screen mode in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.


29) Heap-based buffer overflow (CVE-ID: CVE-2021-21159)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in TabStrip. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


30) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21186)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in QR scanning in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


31) Improper control of a resource through its lifetime (CVE-ID: CVE-2021-21165)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.


32) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21189)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in payments in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.


33) Stack-based buffer overflow (CVE-ID: CVE-2021-21149)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in Data Transfer in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.


34) Use-after-free (CVE-ID: CVE-2021-21150)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Downloads component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


35) Use-after-free (CVE-ID: CVE-2021-21151)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Payments component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


36) Heap-based buffer overflow (CVE-ID: CVE-2021-21152)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Media. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


37) Stack-based buffer overflow (CVE-ID: CVE-2021-21153)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in GPU Process in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.


38) Heap-based buffer overflow (CVE-ID: CVE-2021-21154)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Tab Strip . A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


39) Heap-based buffer overflow (CVE-ID: CVE-2021-21155)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Tab Strip . A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


40) Heap-based buffer overflow (CVE-ID: CVE-2021-21156)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in V8. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


41) Use-after-free (CVE-ID: CVE-2021-21157)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Web Sockets in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.


Remediation

Install update from vendor's website.

References