Multiple vulnerabilities in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2011-2345 CVE-2011-2346 CVE-2011-2347 CVE-2011-2348 CVE-2011-2349 CVE-2011-2350 CVE-2011-2351 |
| CWE-ID | CWE-125 CWE-416 CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU44905
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2345
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The NPAPI implementation in Google Chrome before 12.0.742.112 does not properly handle strings, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=77493
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://secunia.com/advisories/45097
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14411
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU44906
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2346
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving SVG fonts. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 12.0.742.112.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=84355
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://secunia.com/advisories/45097
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14103
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU44907
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2347
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 12.0.742.112 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=85003
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://secunia.com/advisories/45097
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14649
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU44908
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2348
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google V8, as used in Google Chrome before 12.0.742.112, performs an incorrect bounds check, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=85177
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://secunia.com/advisories/45097
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14324
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU44909
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2349
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to text selection. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 12.0.742.112.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=85418
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://secunia.com/advisories/45097
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU44910
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2350
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The HTML parser in Google Chrome before 12.0.742.112 does not properly address "lifetime and re-entrancy issues," which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=85102
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://secunia.com/advisories/45097
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14479
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU44911
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2351
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving SVG use elements. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 12.0.742.112.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=85211
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00000.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00004.html
http://secunia.com/advisories/45097
http://support.apple.com/kb/HT4981
http://support.apple.com/kb/HT4999
http://support.apple.com/kb/HT5000
http://www.securitytracker.com/id?1025730
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14053
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
