Multiple vulnerabilities in Google Chrome



Published: 2020-11-17
Risk High
Patch available YES
Number of vulnerabilities 33
CVE ID CVE-2020-16023
CVE-2020-16036
CVE-2020-16035
CVE-2020-16034
CVE-2020-16033
CVE-2020-16032
CVE-2020-16031
CVE-2020-16030
CVE-2020-16029
CVE-2020-16028
CVE-2020-16027
CVE-2020-16026
CVE-2020-16025
CVE-2020-16024
CVE-2020-16014
CVE-2020-16015
CVE-2020-16022
CVE-2020-16021
CVE-2020-16020
CVE-2020-16019
CVE-2020-16018
CVE-2019-8075
CVE-2020-16012
CWE ID CWE-119
CWE-416
CWE-358
CWE-20
CWE-451
CWE-122
CWE-264
CWE-362
CWE-942
CWE-346
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google, Inc.

Security Advisory

1) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1140197

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16023

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebCodecs component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1146761

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improperly implemented security check for standard

Risk: Low

CVSSv3: 2.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-16036

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in cookies in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/830808

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16035

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in cros-disks in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1139409

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improperly implemented security check for standard

Risk: High

CVSSv3: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16034

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in WebRTC in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1137362

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Spoofing attack

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16033

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in WebUSB in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1143057

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Spoofing attack

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16032

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in sharing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136714

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Spoofing attack

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16031

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in tab preview in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1133183

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Input validation error

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16030

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1141350

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improperly implemented security check for standard

Risk: High

CVSSv3: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16029

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1134338

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Heap-based buffer overflow

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16028

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebRTC. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1138446

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16027

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in developer tools in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1116444

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use-after-free

Risk: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16026

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebRTC in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1139153

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Heap-based buffer overflow

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16025

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in clipboard. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1147431

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Heap-based buffer overflow

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16024

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in UI. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1147430

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16014

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the PPAPI component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1146675

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1142020

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Input validation error

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16015

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in WASM in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1146673

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Permissions, Privileges, and Access Controls

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16022

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in networking in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1145680

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Race condition

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16021

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition in ImageBurner in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the target system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1139414

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Improperly implemented security check for standard

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16020

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in cryptohome in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1139411

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Improperly implemented security check for standard

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16019

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in filesystem in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1139408

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Use-after-free

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16018

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the payments component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 87.0.4280.66.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Security restrictions bypass

Risk: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1055608

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Security restrictions bypass

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass imposed security restrictions or gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1123035

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Security restrictions bypass

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass imposed security restrictions or gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1146025

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1127595

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1133009

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1133047

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1137603

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Memory corruption

Risk: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1136078
https://crbug.com/1140949

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Overly permissive cross-domain whitelist

Risk: Medium

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-8075

CWE-ID: CWE-942 - Overly Permissive Cross-domain Whitelist

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request in Adobe Flash player. A remote attacker can bypass implemented same origin policy restrictions and gain access to sensitive information from another domain.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/945997

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Origin validation error

Risk: Medium

CVSSv3: 4.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16012

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way browser handles requests to cross-origin images. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function takes a variable amount of time depending on the content of the underlying image. This results in cross-origin information exposure of image content through timing side-channel attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 87.0.4280.0, 87.0.4280.1, 87.0.4280.2, 87.0.4280.3, 87.0.4280.4, 87.0.4280.5, 87.0.4280.6, 87.0.4280.7, 87.0.4280.8, 87.0.4280.9, 87.0.4280.10, 87.0.4280.11, 87.0.4280.12, 87.0.4280.13, 87.0.4280.14, 87.0.4280.15, 87.0.4280.16, 87.0.4280.17, 87.0.4280.18, 87.0.4280.19, 87.0.4280.20, 87.0.4280.21, 87.0.4280.22, 87.0.4280.23, 87.0.4280.24, 87.0.4280.25, 87.0.4280.26, 87.0.4280.27, 87.0.4280.28, 87.0.4280.29, 87.0.4280.30, 87.0.4280.31, 87.0.4280.32, 87.0.4280.33, 87.0.4280.34, 87.0.4280.35, 87.0.4280.36, 87.0.4280.37, 87.0.4280.38, 87.0.4280.39, 87.0.4280.40, 87.0.4280.41, 87.0.4280.42, 87.0.4280.43, 87.0.4280.44, 87.0.4280.45, 87.0.4280.47, 87.0.4280.49, 87.0.4280.51, 87.0.4280.52, 87.0.4280.53, 87.0.4280.54, 87.0.4280.55, 87.0.4280.56, 87.0.4280.57, 87.0.4280.58, 87.0.4280.59, 87.0.4280.60, 87.0.4280.61, 87.0.4280.62, 87.0.4280.63, 87.0.4280.64, 87.0.4280.65

CPE External links

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
https://crbug.com/1088224

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.