Multiple vulnerabilities in Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2011-3105 CVE-2011-3106 CVE-2011-3107 CVE-2011-3108 CVE-2011-3110 CVE-2011-3111 CVE-2011-3112 CVE-2011-3113 CVE-2011-3114 CVE-2011-3115 CVE-2011-3103 CVE-2011-3104 |
| CWE-ID | CWE-416 CWE-119 CWE-20 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU44041
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3105
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to the :first-letter pseudo-element. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=120912
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00005.html
http://osvdb.org/82242
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://support.apple.com/kb/HT5485
http://support.apple.com/kb/HT5502
http://support.apple.com/kb/HT5503
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15535
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU44042
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3106
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The WebSockets implementation in Google Chrome before 19.0.1084.52 does not properly handle use of SSL, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=122654
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://osvdb.org/82251
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15470
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU44043
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3107
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 19.0.1084.52 does not properly implement JavaScript bindings for plug-ins, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=124625
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://osvdb.org/82252
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15409
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU44044
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3108
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to the browser cache. A remote attackers can execute arbitrary code.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=125159
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14947
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU44045
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3110
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The PDF functionality in Google Chrome before 19.0.1084.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger out-of-bounds write operations.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=126337
http://code.google.com/p/chromium/issues/detail?id=126343
http://code.google.com/p/chromium/issues/detail?id=126378
http://code.google.com/p/chromium/issues/detail?id=127349
http://code.google.com/p/chromium/issues/detail?id=127819
http://code.google.com/p/chromium/issues/detail?id=127868
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://osvdb.org/82245
http://secunia.com/advisories/49277
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14666
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU44046
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3111
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Google V8, as used in Google Chrome before 19.0.1084.52, allows remote attackers to cause a denial of service (invalid read operation) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=126414
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15549
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU44047
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3112
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing an invalid encrypted document. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=127331
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://osvdb.org/82247
http://secunia.com/advisories/49277
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15076
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU44048
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3113
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The PDF functionality in Google Chrome before 19.0.1084.52 does not properly perform a cast of an unspecified variable during handling of color spaces, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=127883
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://osvdb.org/82248
http://secunia.com/advisories/49277
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15566
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU44049
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3114
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple buffer overflows in the PDF functionality in Google Chrome before 19.0.1084.52 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger unknown function calls.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=128014
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://osvdb.org/82249
http://secunia.com/advisories/49277
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15545
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU44050
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3115
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google V8, as used in Google Chrome before 19.0.1084.52, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger "type corruption."
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=128018
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://exchange.xforce.ibmcloud.com/vulnerabilities/75853
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15433
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Resource management error
EUVDB-ID: #VU44051
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3103
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google V8, as used in Google Chrome before 19.0.1084.52, does not properly perform garbage collection, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=117409
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15095
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU44052
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3104
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Skia, as used in Google Chrome before 19.0.1084.52, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 19.0.1028.0 - 19.0.1084.50
CPE2.3- cpe:2.3:a:google:google_chrome:19.0.1028.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1029.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:19.0.1030.0:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=118018
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
http://secunia.com/advisories/49277
http://secunia.com/advisories/49306
http://security.gentoo.org/glsa/glsa-201205-04.xml
http://www.securityfocus.com/bid/53679
http://www.securitytracker.com/id?1027098
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15471
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
