Fedora 26 update for chromium
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2017-5087 CVE-2017-5088 CVE-2017-5089 |
| CWE-ID | CWE-264 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system chromium Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Security bypass
EUVDB-ID: #VU7125
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5087
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to an error in IndexedDB. A remote attacker can escape the sandbox and gain access to the system.
Successful exploitation of the vulnerability results in security bypass.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 26
chromium: before 59.0.3071.104-1.fc26
CPE2.3- cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:chromium:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-01e4d46f23
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU7126
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5088
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to out-of-bounds read error in V8. A remote attacker can read arbitrary files that may allow to conduct further attacks.
Successful exploitation of the vulnerability results in information disclosure.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 26
chromium: before 59.0.3071.104-1.fc26
CPE2.3- cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:chromium:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-01e4d46f23
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Spoofing attack
EUVDB-ID: #VU7127
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5089
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an address spoofing flaw in the Omnibox component. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 26
chromium: before 59.0.3071.104-1.fc26
CPE2.3- cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:chromium:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-01e4d46f23
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
