Debian update for chromium



Published: 2022-08-07
Risk High
Patch available YES
Number of vulnerabilities 22
CVE-ID CVE-2022-2603
CVE-2022-2604
CVE-2022-2605
CVE-2022-2606
CVE-2022-2607
CVE-2022-2608
CVE-2022-2609
CVE-2022-2610
CVE-2022-2611
CVE-2022-2612
CVE-2022-2613
CVE-2022-2614
CVE-2022-2615
CVE-2022-2616
CVE-2022-2617
CVE-2022-2618
CVE-2022-2619
CVE-2022-2620
CVE-2022-2621
CVE-2022-2622
CVE-2022-2623
CVE-2022-2624
CWE-ID CWE-416
CWE-125
CWE-264
CWE-358
CWE-310
CWE-20
CWE-122
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Debian Linux
Operating systems & Components / Operating system

chromium (Debian package)
Operating systems & Components / Operating system package or component

Vendor Debian

Security Bulletin

This security bulletin contains information about 22 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU65958

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2603

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Omnibox component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Use-after-free

EUVDB-ID: #VU65959

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2604

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Safe Browsing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Out-of-bounds read

EUVDB-ID: #VU65960

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2605

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the Dawn component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Use-after-free

EUVDB-ID: #VU65961

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2606

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Managed devices API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU65962

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2607

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Tab Strip component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Use-after-free

EUVDB-ID: #VU65963

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2608

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Overview Mode component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU65964

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2609

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Nearby Share component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU65965

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2610

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Background Fetch in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Improperly implemented security check for standard

EUVDB-ID: #VU65966

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2611

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Fullscreen API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Cryptographic issues

EUVDB-ID: #VU65967

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2612

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to side-channel information leak in Keyboard input. Chrome Medium. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Use-after-free

EUVDB-ID: #VU65968

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2613

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Input in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Use-after-free

EUVDB-ID: #VU65969

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2614

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Sign-In Flow in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU65970

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2615

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Cookies in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Improperly implemented security check for standard

EUVDB-ID: #VU65971

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2616

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Extensions API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Use-after-free

EUVDB-ID: #VU65972

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2617

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Extensions API in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Input validation error

EUVDB-ID: #VU65973

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2618

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Internals in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Input validation error

EUVDB-ID: #VU65974

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2619

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Settings in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Use-after-free

EUVDB-ID: #VU65975

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2620

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebUI in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Use-after-free

EUVDB-ID: #VU65976

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2621

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Extensions in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Input validation error

EUVDB-ID: #VU65977

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2622

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Safe Browsing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) Use-after-free

EUVDB-ID: #VU65978

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2623

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Offline in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Heap-based buffer overflow

EUVDB-ID: #VU65979

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2624

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in PDF. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 104.0.5112.79-1~deb11u1.

Vulnerable software versions

Debian Linux: All versions

chromium (Debian package): before 104.0.5112.79-1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5201

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###