Multiple vulnerabilities in Microsoft Edge



Published: 2022-01-06 | Updated: 2022-01-07
Risk High
Patch available YES
Number of vulnerabilities 29
CVE-ID CVE-2022-0105
CVE-2022-21930
CVE-2022-21931
CVE-2022-21954
CVE-2022-0096
CVE-2022-0097
CVE-2022-0098
CVE-2022-0099
CVE-2022-0100
CVE-2022-0101
CVE-2022-0102
CVE-2022-0103
CVE-2022-0104
CVE-2022-21929
CVE-2022-0106
CVE-2022-0107
CVE-2022-0108
CVE-2022-0109
CVE-2022-0110
CVE-2022-0111
CVE-2022-0112
CVE-2022-0113
CVE-2022-0114
CVE-2022-0115
CVE-2022-0116
CVE-2022-0117
CVE-2022-0118
CVE-2022-0120
CVE-2022-21970
CWE-ID CWE-416
CWE-79
CWE-358
CWE-122
CWE-843
CWE-451
CWE-125
CWE-908
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft Edge
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 29 vulnerabilities.

Updated: 07.01.2022

Added vulnerability #29.

1) Use-after-free

EUVDB-ID: #VU59204

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0105

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the PDF component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1274376
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0105

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Cross-site scripting

EUVDB-ID: #VU59272

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21930

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21930

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Cross-site scripting

EUVDB-ID: #VU59271

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21931

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21931

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Cross-site scripting

EUVDB-ID: #VU59270

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21954

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21954

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU59195

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0096

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Storage component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1275020
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0096

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Improperly implemented security check for standard

EUVDB-ID: #VU59196

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0097

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1117173
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0097

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU59197

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0098

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Screen Capture component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1273609
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0098

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Use-after-free

EUVDB-ID: #VU59198

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0099

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Sign-in component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1245629
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0099

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Heap-based buffer overflow

EUVDB-ID: #VU59199

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0100

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Media streams API. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1238209
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0100

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Heap-based buffer overflow

EUVDB-ID: #VU59200

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0101

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Bookmarks. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1249426
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0101

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Type Confusion

EUVDB-ID: #VU59201

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0102

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1260129
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0102

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Use-after-free

EUVDB-ID: #VU59202

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0103

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the SwiftShader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1272266
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0103

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Heap-based buffer overflow

EUVDB-ID: #VU59203

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0104

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in ANGLE. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1273661
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0104

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Cross-site scripting

EUVDB-ID: #VU59269

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21929

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21929

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Use-after-free

EUVDB-ID: #VU59205

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0106

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Autofill component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1278960
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0106

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Use-after-free

EUVDB-ID: #VU59206

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0107

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within File Manager API in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1248438
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0107

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Improperly implemented security check for standard

EUVDB-ID: #VU59207

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0108

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1248444
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0108

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

18) Improperly implemented security check for standard

EUVDB-ID: #VU59208

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0109

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1261689
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0109

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

19) Spoofing attack

EUVDB-ID: #VU59209

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0110

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1237310
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0110

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

20) Improperly implemented security check for standard

EUVDB-ID: #VU59210

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0111

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1241188
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0111

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

21) Spoofing attack

EUVDB-ID: #VU59211

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0112

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Browser UI in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1255713
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0112

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

22) Improperly implemented security check for standard

EUVDB-ID: #VU59212

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0113

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1039885
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0113

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

23) Out-of-bounds read

EUVDB-ID: #VU59213

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0114

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the Web Serial component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1267627
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0114

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

24) Use of uninitialized resource

EUVDB-ID: #VU59214

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0115

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in File API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger uninitialized usage of resources and bypass implemented security mechanisms.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1268903
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0115

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

25) Improperly implemented security check for standard

EUVDB-ID: #VU59215

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0116

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Compositing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1272250
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0116

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

26) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59218

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0117

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due incorrect implementation of policy restrictions in Service Workers. A remote attacker can trick the victim to open a specially crafted web page and bypass implemented security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1115847
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0117

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

27) Improperly implemented security check for standard

EUVDB-ID: #VU59216

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0118

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in WebShare in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1238631
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0118

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

28) Improperly implemented security check for standard

EUVDB-ID: #VU59217

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0120

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Passwords in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1262953
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0120

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

29) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59287

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21970

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.62


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21970

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###