Debian update for chromium
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 42 |
| CVE-ID | CVE-2019-19880 CVE-2020-6409 CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404 CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408 CVE-2020-6410 CVE-2020-6399 CVE-2020-6411 CVE-2020-6412 CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416 CVE-2020-6418 CVE-2020-6420 CVE-2020-6400 CVE-2020-6398 CVE-2019-19923 CVE-2020-6387 CVE-2019-19925 CVE-2019-19926 CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384 CVE-2020-6385 CVE-2020-6386 CVE-2020-6388 CVE-2020-6397 CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392 CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396 |
| CWE-ID | CWE-822 CWE-254 CWE-20 CWE-125 CWE-416 CWE-787 CWE-843 CWE-264 CWE-346 CWE-908 CWE-476 CWE-434 CWE-190 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #6 is available. Vulnerability #19 is being exploited in the wild. |
| Vulnerable software |
chromium (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 42 vulnerabilities.
1) Untrusted Pointer Dereference
EUVDB-ID: #VU23794
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19880
CWE-ID:
CWE-822 - Untrusted Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to invalid pointer dereference in exprListAppendList() function in window.c when processing constant integer values in ORDER BY clauses. A remote attacker with ability to interact with a query can execute arbitrary code on the target system.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU24969
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6409
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to inappropriate implementation in Omnibox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU24964
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6401
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in Omnibox component. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass implemented security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security restrictions bypass
EUVDB-ID: #VU24967
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6402
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in downloads. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU24961
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6403
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect implementation of UI security mechanisms in Omnibox component. A remote attacker can create a specially crafted website, trick the victim into visiting it and perform a spoofing attack.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security restrictions bypass
EUVDB-ID: #VU24968
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-6404
CWE-ID:
CWE-254 - Security Features
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to inappropriate implementation in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Out-of-bounds read
EUVDB-ID: #VU24958
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6405
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in SQLite. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free
EUVDB-ID: #VU24973
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6406
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a use-after-free error within the audio component. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds write
EUVDB-ID: #VU25566
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6407
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in streams. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Security restrictions bypass
EUVDB-ID: #VU24954
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6408
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in CORS. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Security restrictions bypass
EUVDB-ID: #VU24955
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6410
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in navigation. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Security restrictions bypass
EUVDB-ID: #VU24953
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6399
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in AppCache. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU24965
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6411
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in Omnibox component. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass implemented security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU24966
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6412
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in Omnibox component. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass implemented security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Security restrictions bypass
EUVDB-ID: #VU24970
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6413
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to inappropriate implementation in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Security restrictions bypass
EUVDB-ID: #VU24956
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6414
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in Safe Browsing. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Security restrictions bypass
EUVDB-ID: #VU24971
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6415
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to inappropriate implementation in JavaScript. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Input validation error
EUVDB-ID: #VU24974
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6416
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in streams. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass implemented security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Type Confusion
EUVDB-ID: #VU25567
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2020-6418
CWE-ID:
CWE-843 - Type confusion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in V8 component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability is being actively exploited in the wild.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
20) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU25754
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6420
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in media. A remote attacker can bypass implemented security restrictions and compromise the affected system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Origin validation error
EUVDB-ID: #VU24963
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6400
CWE-ID:
CWE-346 - Origin Validation Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of CORS policies. A remote attacker can bypass implemented security restrictions and interact with web applications outside of the allowed domain.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Use of uninitialized resource
EUVDB-ID: #VU24962
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6398
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in PDFium. A remote attacker can pass specially crafted data to the application, trigger uninitialized usage of resources and bypass implemented security mechanisms.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) NULL pointer dereference
EUVDB-ID: #VU23914
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19923
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to flattenSubquery in "select.c" mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. A remote attacker can cause a NULL pointer dereference and perform a denial of service (DoS) attack.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Out-of-bounds write
EUVDB-ID: #VU24929
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6387
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in WebRTC component. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Arbitrary file upload
EUVDB-ID: #VU23915
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19925
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to zipfileUpdate in "ext/misc/zipfile.c" mishandles a NULL pathname during an update of a ZIP archive. A remote attacker can upload and execute arbitrary file on the server.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Input validation error
EUVDB-ID: #VU23793
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19926
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the multiSelect() function in select.c when parsing certain error messages. A remote attacker can perform a denial of service attack.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Integer overflow
EUVDB-ID: #VU24921
Risk: High
CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6381
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in JavaScript engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Type confusion
EUVDB-ID: #VU24927
Risk: High
CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6382
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in JavaScript engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Type Confusion
EUVDB-ID: #VU25505
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6383
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in V8. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Use-after-free
EUVDB-ID: #VU25506
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6384
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebAudio component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Security restrictions bypass
EUVDB-ID: #VU24928
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6385
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security features.
The vulnerability exists due to insufficient policy enforcement in storage engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the affected system.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Use-after-free
EUVDB-ID: #VU25537
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6386
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in speech component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Out-of-bounds write
EUVDB-ID: #VU24931
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6388
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in WebAudio component. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU24960
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6397
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect implementation of UI security mechanisms in sharing component. A remote attacker can create a specially crafted website, trick the victim into visiting it and perform a spoofing attack.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Out-of-bounds write
EUVDB-ID: #VU24930
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6389
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in WebRTC component. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Out-of-bounds write
EUVDB-ID: #VU24932
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6390
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in streams component. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Input validation error
EUVDB-ID: #VU24949
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6391
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in Blink component. A remote attacker can create a specially crafted webpage, trick the victim into visiting it and bypass implemented security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Security restrictions bypass
EUVDB-ID: #VU24950
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6392
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in extensions. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Security restrictions bypass
EUVDB-ID: #VU24951
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6393
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Security restrictions bypass
EUVDB-ID: #VU24952
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6394
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient policy enforcement in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Out-of-bounds read
EUVDB-ID: #VU24957
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6395
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in JavaScript engine. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Security restrictions bypass
EUVDB-ID: #VU24959
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6396
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to inappropriate implementation in Skia. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass certain security restrictions.
Update chromium package to version 80.0.3987.132-1~deb10u1.
Vulnerable software versionschromium (Debian package): 76.0.3809.100-1~deb10u1 - 79.0.3945.130-1~deb10u1
CPE2.3- cpe:2.3:o:debian:chromium_debian_package:76.0.3809.100-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.97-1~deb10u1:*:*:*:*:debian_linux:*:
- cpe:2.3:o:debian:chromium_debian_package:78.0.3904.108-1~deb10u1:*:*:*:*:debian_linux:*:
http://www.debian.org/security/2020/dsa-4638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
