Debian update for chromium



Published: 2022-04-28 | Updated: 2022-04-29
Risk High
Patch available YES
Number of vulnerabilities 25
CVE-ID CVE-2022-1490
CVE-2022-1501
CVE-2022-1500
CVE-2022-1499
CVE-2022-1498
CVE-2022-1497
CVE-2022-1496
CVE-2022-1495
CVE-2022-1494
CVE-2022-1493
CVE-2022-1492
CVE-2022-1491
CVE-2022-1489
CVE-2022-1477
CVE-2022-1488
CVE-2022-1487
CVE-2022-1486
CVE-2022-1485
CVE-2022-1484
CVE-2022-1483
CVE-2022-1482
CVE-2022-1481
CVE-2022-1480
CVE-2022-1479
CVE-2022-1478
CWE-ID CWE-416
CWE-358
CWE-20
CWE-451
CWE-125
CWE-843
CWE-122
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
chromium (Debian package)
Operating systems & Components / Operating system package or component

Vendor Debian

Security Bulletin

This security bulletin contains information about 25 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU62622

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1490

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Browser Switcher in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improperly implemented security check for standard

EUVDB-ID: #VU62633

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1501

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in iframe in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Input validation error

EUVDB-ID: #VU62632

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1500

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Dev Tools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Improperly implemented security check for standard

EUVDB-ID: #VU62631

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1499

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in WebAuthentication in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Improperly implemented security check for standard

EUVDB-ID: #VU62630

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1498

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in HTML Parser in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Improperly implemented security check for standard

EUVDB-ID: #VU62629

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1497

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Input in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU62628

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1496

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within File Manager in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Spoofing attack

EUVDB-ID: #VU62627

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1495

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Downloads in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Input validation error

EUVDB-ID: #VU62626

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1494

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Trusted Types in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Use-after-free

EUVDB-ID: #VU62625

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1493

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Dev Tools in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Input validation error

EUVDB-ID: #VU62624

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1492

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Blink Editing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Use-after-free

EUVDB-ID: #VU62623

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1491

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Bookmarks in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Out-of-bounds read

EUVDB-ID: #VU62621

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1489

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the UI Shelf component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Use-after-free

EUVDB-ID: #VU62609

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1477

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Vulkan component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Improperly implemented security check for standard

EUVDB-ID: #VU62620

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1488

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Extensions API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Use-after-free

EUVDB-ID: #VU62619

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1487

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Ozone in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Type Confusion

EUVDB-ID: #VU62618

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1486

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a type confusion error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Use-after-free

EUVDB-ID: #VU62617

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1485

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within File System API in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Heap-based buffer overflow

EUVDB-ID: #VU62616

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1484

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Web UI Settings. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Heap-based buffer overflow

EUVDB-ID: #VU62615

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1483

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebGPU. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) Improperly implemented security check for standard

EUVDB-ID: #VU62614

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1482

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in WebGL in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Use-after-free

EUVDB-ID: #VU62613

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1481

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Sharing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

23) Use-after-free

EUVDB-ID: #VU62612

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1480

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Device API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

24) Use-after-free

EUVDB-ID: #VU62611

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1479

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the ANGLE component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

25) Use-after-free

EUVDB-ID: #VU62610

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1478

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the SwiftShader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 101.0.4951.41-1~deb11u1.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 100.0.4896.127-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5125

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###