Gentoo update for Chromium
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 31 |
| CVE-ID | CVE-2017-5091 CVE-2017-5092 CVE-2017-5093 CVE-2017-5094 CVE-2017-5095 CVE-2017-5096 CVE-2017-5097 CVE-2017-5098 CVE-2017-5099 CVE-2017-5100 CVE-2017-5101 CVE-2017-5102 CVE-2017-5103 CVE-2017-5104 CVE-2017-5105 CVE-2017-5106 CVE-2017-5107 CVE-2017-5108 CVE-2017-5109 CVE-2017-5110 CVE-2017-5111 CVE-2017-5112 CVE-2017-5113 CVE-2017-5114 CVE-2017-5115 CVE-2017-5116 CVE-2017-5117 CVE-2017-5118 CVE-2017-5119 CVE-2017-5120 CVE-2017-7000 |
| CWE-ID | CWE-416 CWE-264 CWE-843 CWE-787 CWE-401 CWE-125 CWE-665 CWE-122 CWE-119 CWE-200 CWE-300 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Gentoo Linux Operating systems & Components / Operating system |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 31 vulnerabilities.
1) Use-after-free error
EUVDB-ID: #VU7618
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5091
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to use-after free error in IndexedDB. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU7619
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5092
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to use-after free error in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Spoofing attack
EUVDB-ID: #VU7620
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5093
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Type confusion
EUVDB-ID: #VU7621
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5094
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to type confusion in extensions. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds write
EUVDB-ID: #VU7622
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5095
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to out-of-bounds write in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory leak
EUVDB-ID: #VU7623
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5096
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to memory leak via Android intents. A remote attacker can trick the victim into visiting a specially crafted web page and read important files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU7624
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5097
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to out-of-bounds read in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and read important files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free error
EUVDB-ID: #VU7625
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5098
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to use-after free error in V8. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds write
EUVDB-ID: #VU7626
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5099
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to out-of-bounds write in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free error
EUVDB-ID: #VU7627
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5100
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to use-after free error in Chrome Apps. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Spoofing attack
EUVDB-ID: #VU7628
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5101
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Security restrictions bypass
EUVDB-ID: #VU7629
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5102
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Security restrictions bypass
EUVDB-ID: #VU7630
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5103
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Spoofing attack
EUVDB-ID: #VU7631
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5104
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in browser. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Spoofing attack
EUVDB-ID: #VU7632
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5105
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Spoofing attack
EUVDB-ID: #VU7635
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5106
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Memory leak
EUVDB-ID: #VU7636
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5107
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to memory leak via SVG. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Type confusion
EUVDB-ID: #VU7637
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5108
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to type confusion in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Spoofing attack
EUVDB-ID: #VU7633
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5109
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in browser. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Spoofing attack
EUVDB-ID: #VU7634
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5110
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in payments dialog. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationUpdate the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Use-after-free error
EUVDB-ID: #VU8124
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5111
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Heap-based buffer overflow
EUVDB-ID: #VU8125
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5112
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in WebGL. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Heap-based buffer overflow
EUVDB-ID: #VU8126
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5113
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in Skia. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Memory corruption
EUVDB-ID: #VU8127
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5114
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to memory lifecycle issue in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Type confusion
EUVDB-ID: #VU8128
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5115
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Type confusion
EUVDB-ID: #VU8129
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5116
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Information disclosure
EUVDB-ID: #VU8133
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5117
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to use of uninitialized value in Skia. A remote attacker can trick the victim into visiting a specially crafted website and read arbitrary data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Security restrictions bypass
EUVDB-ID: #VU8135
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5118
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website and bypass content security policy in Blink on the system.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Information disclosure
EUVDB-ID: #VU8134
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5119
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to use of uninitialized value in Skia. A remote attacker can trick the victim into visiting a specially crafted website and read arbitrary data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Man-in-the-middle attack
EUVDB-ID: #VU8136
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5120
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct a man-in-the-middle attack.
The weakness exists due to potential HTTPS downgrade during redirect navigation. A remote attacker can trick the victim into visiting a specially crafted website and use man-in-the-middle techniques to read and modify arbitrary data on the system.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Information disclosure
EUVDB-ID: #VU7638
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7000
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to pointer disclosure in SQLite. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
www-client/chromium to version: 61.0.3163.79
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/glsa/201709-15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
