Multiple vulnerabilities in Google Chrome



Published: 2017-08-01 | Updated: 2021-06-14
Risk High
Patch available YES
Number of vulnerabilities 21
CVE-ID CVE-2017-5091
CVE-2017-5092
CVE-2017-5093
CVE-2017-5094
CVE-2017-5095
CVE-2017-5096
CVE-2017-5097
CVE-2017-5098
CVE-2017-5099
CVE-2017-5100
CVE-2017-5101
CVE-2017-5102
CVE-2017-5103
CVE-2017-5104
CVE-2017-5105
CVE-2017-5109
CVE-2017-5110
CVE-2017-5106
CVE-2017-5107
CVE-2017-5108
CVE-2017-7000
CWE-ID CWE-416
CWE-264
CWE-843
CWE-787
CWE-401
CWE-125
CWE-665
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 21 vulnerabilities.

1) Use-after-free error

EUVDB-ID: #VU7618

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5091

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to use-after free error in IndexedDB. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free error

EUVDB-ID: #VU7619

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5092

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to use-after free error in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Spoofing attack

EUVDB-ID: #VU7620

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5093

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to UI spoofing in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Type confusion

EUVDB-ID: #VU7621

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5094

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to type confusion in extensions. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Out-of-bounds write

EUVDB-ID: #VU7622

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5095

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to out-of-bounds write in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory leak

EUVDB-ID: #VU7623

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5096

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.

The weakness exists due to memory leak via Android intents. A remote attacker can trick the victim into visiting a specially crafted web page and read important files on the system.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds read

EUVDB-ID: #VU7624

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5097

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.

The weakness exists due to out-of-bounds read in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and read important files on the system.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use-after-free error

EUVDB-ID: #VU7625

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5098

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to use-after free error in V8. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Out-of-bounds write

EUVDB-ID: #VU7626

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5099

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to out-of-bounds write in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use-after-free error

EUVDB-ID: #VU7627

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5100

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to use-after free error in Chrome Apps. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Spoofing attack

EUVDB-ID: #VU7628

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5101

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Security restrictions bypass

EUVDB-ID: #VU7629

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5102

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Security restrictions bypass

EUVDB-ID: #VU7630

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5103

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Spoofing attack

EUVDB-ID: #VU7631

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5104

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to UI spoofing in browser. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Spoofing attack

EUVDB-ID: #VU7632

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5105

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Spoofing attack

EUVDB-ID: #VU7633

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5109

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to UI spoofing in browser. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Spoofing attack

EUVDB-ID: #VU7634

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5110

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to UI spoofing in payments dialog. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Spoofing attack

EUVDB-ID: #VU7635

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5106

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.

Successful exploitation of the vulnerability results in address spoofing.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Memory leak

EUVDB-ID: #VU7636

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5107

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.

The weakness exists due to memory leak via SVG. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Type confusion

EUVDB-ID: #VU7637

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5108

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.

The weakness exists due to type confusion in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Information disclosure

EUVDB-ID: #VU7638

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7000

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.

The weakness exists due to pointer disclosure in SQLite. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update to version 60.0.3112.78.

Vulnerable software versions

Google Chrome: 57.0.2987.98 - 59.0.3071.115

External links

http://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###