Multiple vulnerabilities in Google Chrome



Published: 2019-10-24 | Updated: 2022-01-17
Risk High
Patch available YES
Number of vulnerabilities 21
CVE-ID CVE-2019-13708
CVE-2019-13709
CVE-2019-13710
CVE-2019-13711
CVE-2019-13707
CVE-2019-13706
CVE-2019-13703
CVE-2019-13704
CVE-2019-13705
CVE-2019-15903
CVE-2019-13713
CVE-2019-13719
CVE-2019-13718
CVE-2019-13717
CVE-2019-13714
CVE-2019-13715
CVE-2019-13716
CVE-2019-13702
CVE-2019-13701
CVE-2019-13699
CVE-2019-13700
CWE-ID CWE-290
CWE-693
CWE-200
CWE-125
CWE-451
CWE-264
CWE-94
CWE-399
CWE-416
CWE-119
Exploitation vector Network
Public exploit Public exploit code for vulnerability #10 is available.
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 21 vulnerabilities.

1) Authentication Bypass by Spoofing

EUVDB-ID: #VU22222

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13708

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to an unspecified error that allows a remote attacker to spoof HTTP authentication window and gain unauthorized access to victim's credentials.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Protection Mechanism Failure

EUVDB-ID: #VU22223

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13709

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error that allows a remote attacker to bypass file download security feature and silently download dangerous files to the victim's system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Protection Mechanism Failure

EUVDB-ID: #VU22225

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13710

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error that allows a remote attacker to bypass file download security feature and silently download dangerous files to the victim's system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU22224

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13711

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error. A remote attacker can gain unauthorized access to sensitive information from another security context.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU22221

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13707

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application allows disclosure of file storage. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Out-of-bounds read

EUVDB-ID: #VU22220

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13706

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing PDF content within the PDFium component. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system on crash the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Spoofing attack

EUVDB-ID: #VU22217

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13703

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can create a specially crafted webpage and spoof URL in the browser bar.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22218

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13704

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error when processing CSP policies. A remote attacker can bypass CSP protection mechanism and perform cross-domain requests.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22219

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13705

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to incorrect processing of permissions in the Extension component. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass certain security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Out-of-bounds read

EUVDB-ID: #VU21091

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-15903

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing XML documents within the expat library. A remote attacker can create a specially crafted XML file, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system or crash the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: before 78.0.3904.70

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Information disclosure

EUVDB-ID: #VU22226

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13713

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to cross-origin data leak. A remote attacker can gain unauthorized access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Spoofing attack

EUVDB-ID: #VU22231

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13719

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of browser notifications. A remote attacker can create a specially crafted web page and spoof contents of notifications that are displayed to the user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Spoofing attack

EUVDB-ID: #VU22232

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13718

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of IDN domain names. A remote attacker can register a specially crafted domain name and perform spoofing attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Spoofing attack

EUVDB-ID: #VU22230

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13717

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of browser notifications. A remote attacker can create a specially crafted web page and spoof contents of notifications that are displayed to the user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Code Injection

EUVDB-ID: #VU22227

Risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13714

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation when processing CSS files. A remote attacker can send create a specially crafted webpage and perform CSS injection attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Spoofing attack

EUVDB-ID: #VU22228

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13715

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can create a specially crafted webpage and spoof the browser's address bar.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Resource management error

EUVDB-ID: #VU22229

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13716

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a resource management error. A remote attacker can use a specially crafted webpage to crash the affected browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22216

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13702

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to unspecified error in the Installer component. A remote attacker can bypass certain security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Spoofing attack

EUVDB-ID: #VU22215

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13701

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can create a specially crafted webpage and spoof browser URL in navigation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Use-after-free

EUVDB-ID: #VU22213

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13699

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in media component. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Buffer overflow

EUVDB-ID: #VU22214

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13700

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the Blink component. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 75.0.3770.80 - 77.0.3865.120

External links

http://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###