Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2023-0128 CVE-2023-0129 CVE-2023-0130 CVE-2023-0131 CVE-2023-0132 CVE-2023-0133 CVE-2023-0134 CVE-2023-0135 CVE-2023-0136 CVE-2023-0137 CVE-2023-0138 CVE-2023-0139 CVE-2023-0140 CVE-2023-0141 |
| CWE-ID | CWE-416 CWE-122 CWE-358 CWE-20 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU70943
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0128
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Overview Mode component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1353208
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
2) Heap-based buffer overflow
EUVDB-ID: #VU70944
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0129
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in Network Service. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1382033
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0129
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
3) Improperly implemented security check for standard
EUVDB-ID: #VU70945
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0130
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Fullscreen API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1370028
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0130
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
4) Improperly implemented security check for standard
EUVDB-ID: #VU70946
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0131
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in iframe Sandbox in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1357366
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0131
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
5) Improperly implemented security check for standard
EUVDB-ID: #VU70947
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0132
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Permission prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1371215
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0132
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
6) Improperly implemented security check for standard
EUVDB-ID: #VU70948
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0133
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Permission prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1375132
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0133
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
7) Use-after-free
EUVDB-ID: #VU70949
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-0134
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Cart in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1385709
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0134
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
8) Use-after-free
EUVDB-ID: #VU70950
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-0135
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Cart in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1385831
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0135
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
9) Improperly implemented security check for standard
EUVDB-ID: #VU70951
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-0136
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Fullscreen API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1356987
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0136
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
10) Heap-based buffer overflow
EUVDB-ID: #VU70952
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-0137
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in Platform Apps. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1399904
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
11) Heap-based buffer overflow
EUVDB-ID: #VU70953
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2023-0138
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted HTML content in libphonenumber. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and crash the browser.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1346675
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0138
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
12) Input validation error
EUVDB-ID: #VU70954
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2023-0139
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to crash the browser.
The vulnerability exists due to a improper input validation in Downloads in Google Chrome. A remote attacker can trick the victim to perform certain actions in browser and crash it.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1367632
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0139
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
13) Improperly implemented security check for standard
EUVDB-ID: #VU70955
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2023-0140
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in File System API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1326788
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0140
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
14) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU70956
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2023-0141
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in CORS in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationUpdate to version 109.0.5414.74.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 108.0.5359.125
CPE2.3 External links
http://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html
http://crbug.com/1362331
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-0141
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
