SB2019110302 - OpenSUSE Linux update for chromium, re2 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019110302

SB2019110302 - OpenSUSE Linux update for chromium, re2

Published: November 3, 2019 Updated: January 17, 2022

Security Bulletin ID SB2019110302
Severity
High
Patch available
YES
Number of vulnerabilities 21
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 14% Low 76%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 21 secuirty vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2019-13699)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in media component. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


2) Buffer overflow (CVE-ID: CVE-2019-13700)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the Blink component. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Spoofing attack (CVE-ID: CVE-2019-13701)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can create a specially crafted webpage and spoof browser URL in navigation.


4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-13702)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to unspecified error in the Installer component. A remote attacker can bypass certain security restrictions.


5) Spoofing attack (CVE-ID: CVE-2019-13703)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can create a specially crafted webpage and spoof URL in the browser bar.


6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-13704)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error when processing CSP policies. A remote attacker can bypass CSP protection mechanism and perform cross-domain requests.


7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-13705)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to incorrect processing of permissions in the Extension component. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass certain security restrictions.


8) Out-of-bounds read (CVE-ID: CVE-2019-13706)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing PDF content within the PDFium component. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system on crash the application.


9) Information disclosure (CVE-ID: CVE-2019-13707)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application allows disclosure of file storage. A remote attacker can gain unauthorized access to sensitive information on the system.


10) Authentication Bypass by Spoofing (CVE-ID: CVE-2019-13708)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to an unspecified error that allows a remote attacker to spoof HTTP authentication window and gain unauthorized access to victim's credentials.


11) Protection Mechanism Failure (CVE-ID: CVE-2019-13709)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error that allows a remote attacker to bypass file download security feature and silently download dangerous files to the victim's system.


12) Protection Mechanism Failure (CVE-ID: CVE-2019-13710)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error that allows a remote attacker to bypass file download security feature and silently download dangerous files to the victim's system.


13) Information disclosure (CVE-ID: CVE-2019-13711)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error. A remote attacker can gain unauthorized access to sensitive information from another security context.


14) Information disclosure (CVE-ID: CVE-2019-13713)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to cross-origin data leak. A remote attacker can gain unauthorized access to sensitive information.


15) Code Injection (CVE-ID: CVE-2019-13714)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation when processing CSS files. A remote attacker can send create a specially crafted webpage and perform CSS injection attack.


16) Spoofing attack (CVE-ID: CVE-2019-13715)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can create a specially crafted webpage and spoof the browser's address bar.


17) Resource management error (CVE-ID: CVE-2019-13716)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a resource management error. A remote attacker can use a specially crafted webpage to crash the affected browser.


18) Spoofing attack (CVE-ID: CVE-2019-13717)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of browser notifications. A remote attacker can create a specially crafted web page and spoof contents of notifications that are displayed to the user.


19) Spoofing attack (CVE-ID: CVE-2019-13718)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of IDN domain names. A remote attacker can register a specially crafted domain name and perform spoofing attack.


20) Spoofing attack (CVE-ID: CVE-2019-13719)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of browser notifications. A remote attacker can create a specially crafted web page and spoof contents of notifications that are displayed to the user.


21) Out-of-bounds read (CVE-ID: CVE-2019-15903)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing XML documents within the expat library. A remote attacker can create a specially crafted XML file, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system or crash the affected application.


Remediation

Install update from vendor's website.

References