Main Vulnerability Database SB20230820228

SB20230820228 - Fedora 37 update for chromium

Published: August 20, 2023 Updated: June 7, 2024

Security Bulletin ID SB20230820228

Severity

Critical

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Type Confusion (CVE-ID: CVE-2023-3079)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Note, the vulnerability is being actively exploited in the wild.

2) Information disclosure (CVE-ID: CVE-2023-3709)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin adds the API key to the source code of any page running the MailChimp block. A remote attacker can obtain a site's MailChimp API key.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2023-f4954af225