Gentoo update for Chromium, Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 25 |
| CVE-ID | CVE-2018-6057 CVE-2018-6060 CVE-2018-6061 CVE-2018-6062 CVE-2018-6063 CVE-2018-6064 CVE-2018-6065 CVE-2018-6066 CVE-2018-6067 CVE-2018-6068 CVE-2018-6069 CVE-2018-6070 CVE-2018-6071 CVE-2018-6072 CVE-2018-6073 CVE-2018-6074 CVE-2018-6075 CVE-2018-6076 CVE-2018-6077 CVE-2018-6078 CVE-2018-6079 CVE-2018-6080 CVE-2018-6081 CVE-2018-6082 CVE-2018-6083 |
| CWE-ID | CWE-119 CWE-416 CWE-362 CWE-122 CWE-843 CWE-190 CWE-20 CWE-120 CWE-404 CWE-121 CWE-284 CWE-264 CWE-19 CWE-385 CWE-451 CWE-200 CWE-79 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #7 is being exploited in the wild. |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system www-client/google-chrome Operating systems & Components / Operating system package or component www-client/chromium Operating systems & Components / Operating system package or component |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 25 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU11564
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6057
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to incorrect permissions on shared memory. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU11558
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6060
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Race condition
EUVDB-ID: #VU11560
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6061
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to race condition in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU11561
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6062
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in Skia. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory corruption
EUVDB-ID: #VU11565
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6063
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to incorrect permissions on shared memory. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Type confusion
EUVDB-ID: #VU11543
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6064
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Integer overflow
EUVDB-ID: #VU11562
Risk: High
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2018-6065
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
8) Security restrictions bypass
EUVDB-ID: #VU11563
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6066
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to same origin bypass via canvas. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU11566
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6067
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Skia due to buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper resource shutdown
EUVDB-ID: #VU11567
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6068
CWE-ID:
CWE-404 - Improper Resource Shutdown or Release
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to object lifetime issues. A remote attacker can cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Stack-based buffer overflow
EUVDB-ID: #VU11568
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6069
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Skia due to stack-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper access control
EUVDB-ID: #VU11569
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6070
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to CSP bypass through extensions. A remote attacker can bypass security restrictions.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Heap-based buffer overflow
EUVDB-ID: #VU11570
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6071
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Skia due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Integer overflow
EUVDB-ID: #VU11571
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6072
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in PDFium due to integer overflow. A remote attacker can trigger buffer overflow and cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Heap-based buffer overflow
EUVDB-ID: #VU11573
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6073
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in WebGL due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper access control
EUVDB-ID: #VU11574
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6074
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to Mark-of-the-Web bypass. A remote attacker can bypass security restrictions.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Security restrictions bypass
EUVDB-ID: #VU11576
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6075
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to overly permissive cross origin downloads. A remote attacker can bypass security restrictions.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Data handling
EUVDB-ID: #VU11578
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6076
CWE-ID:
CWE-19 - Data Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Blink due to incorrect handling of URL fragment identifiers. A remote attacker can cause the service to crash.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Timing attack
EUVDB-ID: #VU11581
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6077
CWE-ID:
CWE-385 - Covert Timing Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in SVG filters due to covert timing channel. A remote attacker can gain access to potentially sensitive information.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Spoofing attack
EUVDB-ID: #VU11582
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6078
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists in OmniBox due to URL spoof. A remote attacker can perform spoofing attack and obtain arbitrary data.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Information disclosure
EUVDB-ID: #VU11583
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6079
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in WebGL due to improper information control via texture data. A remote attacker can gain access to potentially sensitive information.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Information disclosure
EUVDB-ID: #VU11584
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6080
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in IPC call due to improper information control. A remote attacker can gain access to potentially sensitive information.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Cross-site scripting
EUVDB-ID: #VU11585
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6081
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists in interstitials due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Security restrictions bypass
EUVDB-ID: #VU11586
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6082
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to circumvention of port blocking. A remote attacker can bypass security restrictions.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Improper access control
EUVDB-ID: #VU11587
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6083
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to incorrect processing of AppManifests. A remote attacker can bypass security restrictions.
Update the affected packages.
www-client/chromium to version: 65.0.3325.146
www-client/google-chrome to version: 65.0.3325.146
Gentoo Linux: All versions
www-client/google-chrome: before 65.0.3325.146
www-client/chromium: before 65.0.3325.146
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:www-client_google-chrome:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:www-client_chromium:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201803-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
