Vulnerability-Lookup

CVE-2020-6506 (GCVE-0-2020-6506)

Vulnerability from cvelistv5 – Published: 2020-07-22 16:15 – Updated: 2024-08-04 09:02

Summary

Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Severity

No CVSS data available.

CWE

Insufficient policy enforcement

Assigner

Chrome

References

11 references

URL	Tags
https://chromereleases.googleblog.com/2020/06/sta…	x_refsource_MISC
https://crbug.com/1083819	x_refsource_MISC
https://security.gentoo.org/glsa/202007-08	vendor-advisoryx_refsource_GENTOO
https://lists.apache.org/thread.html/r1eadf38b38e…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r2769c33da7f…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r1ab80f8591d…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc0ebe639927…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/ra58733fbb88…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc81e12fc928…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rf082834ad23…	mailing-listx_refsource_MLIST
https://security.gentoo.org/glsa/202101-30	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
Google	Chrome	Affected: unspecified , < 83.0.4103.106 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:02:40.810Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://crbug.com/1083819"
          },
          {
            "name": "GLSA-202007-08",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202007-08"
          },
          {
            "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage opened a new pull request #1123: Added Security Advisory CVE-2020-6506",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage merged pull request #1123: Added Security Advisory CVE-2020-6506",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201001 [GitHub] [cordova-docs] dpogue commented on issue #1022: Document warnings on using remote source for \u003ccontent\u003e",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201007 [GitHub] [cordova-plugin-inappbrowser] carlpoole opened a new pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201116 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz commented on pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201117 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz merged pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-commits] 20201117 [cordova-plugin-inappbrowser] branch master updated: fix(android): Add mitigation strategy for CVE-2020-6506 (#792)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E"
          },
          {
            "name": "GLSA-202101-30",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202101-30"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Chrome",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "83.0.4103.106",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Insufficient policy enforcement",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-26T02:07:08.000Z",
        "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
        "shortName": "Chrome"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://crbug.com/1083819"
        },
        {
          "name": "GLSA-202007-08",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202007-08"
        },
        {
          "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage opened a new pull request #1123: Added Security Advisory CVE-2020-6506",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E"
        },
        {
          "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage merged pull request #1123: Added Security Advisory CVE-2020-6506",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E"
        },
        {
          "name": "[cordova-issues] 20201001 [GitHub] [cordova-docs] dpogue commented on issue #1022: Document warnings on using remote source for \u003ccontent\u003e",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E"
        },
        {
          "name": "[cordova-issues] 20201007 [GitHub] [cordova-plugin-inappbrowser] carlpoole opened a new pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E"
        },
        {
          "name": "[cordova-issues] 20201116 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz commented on pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E"
        },
        {
          "name": "[cordova-issues] 20201117 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz merged pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E"
        },
        {
          "name": "[cordova-commits] 20201117 [cordova-plugin-inappbrowser] branch master updated: fix(android): Add mitigation strategy for CVE-2020-6506 (#792)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E"
        },
        {
          "name": "GLSA-202101-30",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202101-30"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "chrome-cve-admin@google.com",
          "ID": "CVE-2020-6506",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Chrome",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "83.0.4103.106"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Google"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Insufficient policy enforcement"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html",
              "refsource": "MISC",
              "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
            },
            {
              "name": "https://crbug.com/1083819",
              "refsource": "MISC",
              "url": "https://crbug.com/1083819"
            },
            {
              "name": "GLSA-202007-08",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202007-08"
            },
            {
              "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage opened a new pull request #1123: Added Security Advisory CVE-2020-6506",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage merged pull request #1123: Added Security Advisory CVE-2020-6506",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201001 [GitHub] [cordova-docs] dpogue commented on issue #1022: Document warnings on using remote source for \u003ccontent\u003e",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201007 [GitHub] [cordova-plugin-inappbrowser] carlpoole opened a new pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201116 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz commented on pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201117 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz merged pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-commits] 20201117 [cordova-plugin-inappbrowser] branch master updated: fix(android): Add mitigation strategy for CVE-2020-6506 (#792)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E"
            },
            {
              "name": "GLSA-202101-30",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202101-30"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
    "assignerShortName": "Chrome",
    "cveId": "CVE-2020-6506",
    "datePublished": "2020-07-22T16:15:58.000Z",
    "dateReserved": "2020-01-08T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:02:40.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-6506",
      "date": "2026-05-25",
      "epss": "0.01414",
      "percentile": "0.80783"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"83.0.4103.106\", \"matchCriteriaId\": \"8F6F13CD-26D2-45DE-87EF-E595EAAA3E08\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.\"}, {\"lang\": \"es\", \"value\": \"Una aplicaci\\u00f3n insuficiente de pol\\u00edticas en WebView en Google Chrome en Android versiones anteriores a 83.0.4103.106, permiti\\u00f3 a un atacante remoto omitir un aislamiento del sitio por medio de una p\\u00e1gina HTML dise\\u00f1ada\"}]",
      "id": "CVE-2020-6506",
      "lastModified": "2024-11-21T05:35:51.690",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-07-22T17:15:13.010",
      "references": "[{\"url\": \"https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html\", \"source\": \"chrome-cve-admin@google.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://crbug.com/1083819\", \"source\": \"chrome-cve-admin@google.com\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://security.gentoo.org/glsa/202007-08\", \"source\": \"chrome-cve-admin@google.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202101-30\", \"source\": \"chrome-cve-admin@google.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://crbug.com/1083819\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202007-08\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202101-30\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "chrome-cve-admin@google.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-6506\",\"sourceIdentifier\":\"chrome-cve-admin@google.com\",\"published\":\"2020-07-22T17:15:13.010\",\"lastModified\":\"2024-11-21T05:35:51.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.\"},{\"lang\":\"es\",\"value\":\"Una aplicaci\u00f3n insuficiente de pol\u00edticas en WebView en Google Chrome en Android versiones anteriores a 83.0.4103.106, permiti\u00f3 a un atacante remoto omitir un aislamiento del sitio por medio de una p\u00e1gina HTML dise\u00f1ada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"83.0.4103.106\",\"matchCriteriaId\":\"8F6F13CD-26D2-45DE-87EF-E595EAAA3E08\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26\"}]}]}],\"references\":[{\"url\":\"https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html\",\"source\":\"chrome-cve-admin@google.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://crbug.com/1083819\",\"source\":\"chrome-cve-admin@google.com\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://security.gentoo.org/glsa/202007-08\",\"source\":\"chrome-cve-admin@google.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202101-30\",\"source\":\"chrome-cve-admin@google.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://crbug.com/1083819\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202007-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202101-30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-374

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Google	Chrome	Google Chrome versions antérieures à 83.0.4103.106

References

Title

Publication Time

CERTFR-2020-AVI-374

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Google	Chrome	Google Chrome versions antérieures à 83.0.4103.106

References

Title

Publication Time

BDU:2021-06063

Vulnerability from fstec - Published: 22.07.2020

Title

Уязвимость компонента WebView браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности с помощью специально созданной HTML страницы

Description

Уязвимость компонента WebView браузера Google Chrome связана с ошибками реализации проверки безопасности для стандартных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, обойти существующие ограничения безопасности с помощью специально созданной HTML страницы

Severity


                    
                      AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Vendor

Сообщество свободного программного обеспечения, Novell Inc., Fedora Project, Google Inc, Red Hat Inc., АО «Концерн ВНИИНС»

Software Name

Debian GNU/Linux, OpenSUSE Leap, Fedora, Google Chrome, Red Hat Enterprise Linux, ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

9 (Debian GNU/Linux), 15.1 (OpenSUSE Leap), 10 (Debian GNU/Linux), 31 (Fedora), 32 (Fedora), 15.2 (OpenSUSE Leap), до 83.0.4103.106 (Google Chrome), 6 Supplementary (Red Hat Enterprise Linux), 11 (Debian GNU/Linux), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

Использование рекомендаций: https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2020-6506 Для программных продуктов Red Hat Inc.: https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-6506.xml Для Fedora: https://lists.fedoraproject.org/archives/search?mlist=package-announce%40lists.fedoraproject.org&q=CVE-2020-6506 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2020-6506 Для ОС ОН «Стрелец»: Обновление программного обеспечения chromium до версии 105.0.5195.125+repack2-1~deb11u1.osnova1.strelets

Reference

https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html https://crbug.com/1083819 https://security.gentoo.org/glsa/202007-08 https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E https://security.gentoo.org/glsa/202101-30 https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023

CWE

CWE-358

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., Fedora Project, Google Inc, Red Hat Inc., \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 15.1 (OpenSUSE Leap), 10 (Debian GNU/Linux), 31 (Fedora), 32 (Fedora), 15.2 (OpenSUSE Leap), \u0434\u043e 83.0.4103.106 (Google Chrome), 6 Supplementary (Red Hat Enterprise Linux), 11 (Debian GNU/Linux), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html\nhttps://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2020-6506\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-6506.xml\n\u0414\u043b\u044f Fedora:\nhttps://lists.fedoraproject.org/archives/search?mlist=package-announce%40lists.fedoraproject.org\u0026q=CVE-2020-6506\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2020-6506\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f chromium \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 105.0.5195.125+repack2-1~deb11u1.osnova1.strelets",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "22.07.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "21.11.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "16.12.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-06063",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-6506",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, OpenSUSE Leap, Fedora, Google Chrome, Red Hat Enterprise Linux, \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , Novell Inc. OpenSUSE Leap 15.1 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Fedora Project Fedora 31 , Fedora Project Fedora 32 , Novell Inc. OpenSUSE Leap 15.2 , Red Hat Inc. Red Hat Enterprise Linux 6 Supplementary , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 WebView \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 Google Chrome, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0439 HTML \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432 (CWE-358)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 WebView \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 Google Chrome \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0439 HTML \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html\nhttps://crbug.com/1083819\nhttps://security.gentoo.org/glsa/202007-08\nhttps://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E\nhttps://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E\nhttps://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E\nhttps://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E\nhttps://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E\nhttps://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E\nhttps://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E\nhttps://security.gentoo.org/glsa/202101-30\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-358",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

CNVD-2020-49891

Vulnerability from cnvd - Published: 2020-09-01

Title

Google Chrome WebView安全绕过漏洞

Description

Google Chrome是美国谷歌（Google）公司的一款Web浏览器。WebView是其中的一个基于Webkit引擎、展现Web页面的控件。 Google Chrome 83.0.4103.106之前版本中的WebView存在安全漏洞。攻击者可借助特制的网站利用该漏洞绕过安全限制。

Severity

中

Patch Name

Google Chrome WebView安全绕过漏洞的补丁

Patch Description

Google Chrome是美国谷歌（Google）公司的一款Web浏览器。WebView是其中的一个基于Webkit引擎、展现Web页面的控件。 Google Chrome 83.0.4103.106之前版本中的WebView存在安全漏洞。攻击者可借助特制的网站利用该漏洞绕过安全限制。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html

Reference

https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html

Impacted products

Name
Google Chrome <83.0.4103.106

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-6506"
    }
  },
  "description": "Google Chrome\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u6b3eWeb\u6d4f\u89c8\u5668\u3002WebView\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u57fa\u4e8eWebkit\u5f15\u64ce\u3001\u5c55\u73b0Web\u9875\u9762\u7684\u63a7\u4ef6\u3002\n\nGoogle Chrome 83.0.4103.106\u4e4b\u524d\u7248\u672c\u4e2d\u7684WebView\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u7f51\u7ad9\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49891",
  "openTime": "2020-09-01",
  "patchDescription": "Google Chrome\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u6b3eWeb\u6d4f\u89c8\u5668\u3002WebView\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u57fa\u4e8eWebkit\u5f15\u64ce\u3001\u5c55\u73b0Web\u9875\u9762\u7684\u63a7\u4ef6\u3002\r\n\r\nGoogle Chrome 83.0.4103.106\u4e4b\u524d\u7248\u672c\u4e2d\u7684WebView\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u7f51\u7ad9\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Google Chrome WebView\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Google Chrome \u003c83.0.4103.106"
  },
  "referenceLink": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-17",
  "title": "Google Chrome WebView\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

FKIE_CVE-2020-6506

Vulnerability from fkie_nvd - Published: 2020-07-22 17:15 - Updated: 2024-11-21 05:35

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.

References

URL	Tags
chrome-cve-admin@google.com	https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html	Vendor Advisory
chrome-cve-admin@google.com	https://crbug.com/1083819	Issue Tracking, Permissions Required, Third Party Advisory
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E
chrome-cve-admin@google.com	https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E
chrome-cve-admin@google.com	https://security.gentoo.org/glsa/202007-08	Third Party Advisory
chrome-cve-admin@google.com	https://security.gentoo.org/glsa/202101-30	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://crbug.com/1083819	Issue Tracking, Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202007-08	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202101-30	Third Party Advisory

Impacted products

	Vendor	Product	Version
	google	chrome	*
	google	android	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F6F13CD-26D2-45DE-87EF-E595EAAA3E08",
              "versionEndExcluding": "83.0.4103.106",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page."
    },
    {
      "lang": "es",
      "value": "Una aplicaci\u00f3n insuficiente de pol\u00edticas en WebView en Google Chrome en Android versiones anteriores a 83.0.4103.106, permiti\u00f3 a un atacante remoto omitir un aislamiento del sitio por medio de una p\u00e1gina HTML dise\u00f1ada"
    }
  ],
  "id": "CVE-2020-6506",
  "lastModified": "2024-11-21T05:35:51.690",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-22T17:15:13.010",
  "references": [
    {
      "source": "chrome-cve-admin@google.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://crbug.com/1083819"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202007-08"
    },
    {
      "source": "chrome-cve-admin@google.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202101-30"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://crbug.com/1083819"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69%40%3Cissues.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5%40%3Ccommits.cordova.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202007-08"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202101-30"
    }
  ],
  "sourceIdentifier": "chrome-cve-admin@google.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-36J3-XXF7-4PQG

Vulnerability from github – Published: 2020-10-02 16:22 – Updated: 2022-08-03 23:40

Summary

Android WebView Universal Cross-site Scripting

Details

A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.

Pending mitigation

Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.

References

https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.10.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "react-native-webview"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-6506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-02T16:22:01Z",
    "nvd_published_at": "2020-07-22T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a `react-native-webview` that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.\n\n## Pending mitigation\n\nEnsure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. \u0027react-native-webview\u0027 is working on a mitigation but it could take some time.\n\n### References\n\nhttps://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/\n\n",
  "id": "GHSA-36j3-xxf7-4pqg",
  "modified": "2022-08-03T23:40:07Z",
  "published": "2020-10-02T16:22:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/react-native-community/react-native-webview/security/advisories/GHSA-36j3-xxf7-4pqg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/react-native-webview/react-native-webview/security/advisories/GHSA-36j3-xxf7-4pqg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6506"
    },
    {
      "type": "WEB",
      "url": "https://github.com/react-native-webview/react-native-webview/pull/1747"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1560"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202101-30"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202007-08"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://github.com/react-native-webview/react-native-webview/releases/tag/v11.0.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/react-native-community/react-native-webview"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1083819"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
    },
    {
      "type": "WEB",
      "url": "https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Android WebView Universal Cross-site Scripting"
}

GSD-2020-6506

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Aliases

CVE-2020-6506

Aliases

CVE-2020-6506

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-6506",
    "description": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.",
    "id": "GSD-2020-6506",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-6506.html",
      "https://www.debian.org/security/2020/dsa-4714",
      "https://access.redhat.com/errata/RHSA-2020:2643",
      "https://security.archlinux.org/CVE-2020-6506"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-6506"
      ],
      "details": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.",
      "id": "GSD-2020-6506",
      "modified": "2023-12-13T01:21:55.379519Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "chrome-cve-admin@google.com",
        "ID": "CVE-2020-6506",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Chrome",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "83.0.4103.106"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Google"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Insufficient policy enforcement"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html",
            "refsource": "MISC",
            "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
          },
          {
            "name": "https://crbug.com/1083819",
            "refsource": "MISC",
            "url": "https://crbug.com/1083819"
          },
          {
            "name": "GLSA-202007-08",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202007-08"
          },
          {
            "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage opened a new pull request #1123: Added Security Advisory CVE-2020-6506",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage merged pull request #1123: Added Security Advisory CVE-2020-6506",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201001 [GitHub] [cordova-docs] dpogue commented on issue #1022: Document warnings on using remote source for \u003ccontent\u003e",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201007 [GitHub] [cordova-plugin-inappbrowser] carlpoole opened a new pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201116 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz commented on pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-issues] 20201117 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz merged pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E"
          },
          {
            "name": "[cordova-commits] 20201117 [cordova-plugin-inappbrowser] branch master updated: fix(android): Add mitigation strategy for CVE-2020-6506 (#792)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E"
          },
          {
            "name": "GLSA-202101-30",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202101-30"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=10.10.2",
          "affected_versions": "All versions up to 10.10.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-10-06",
          "description": "Insufficient policy enforcement in WebView in Google Chrome on Android allowed a remote attacker to bypass site isolation via a crafted HTML page.",
          "fixed_versions": [
            "11.0.0"
          ],
          "identifier": "CVE-2020-6506",
          "identifiers": [
            "GHSA-36j3-xxf7-4pqg",
            "CVE-2020-6506"
          ],
          "not_impacted": "All versions after 10.10.2",
          "package_slug": "npm/react-native-webview",
          "pubdate": "2020-10-02",
          "solution": "Upgrade to version 11.0.0 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/react-native-community/react-native-webview/security/advisories/GHSA-36j3-xxf7-4pqg",
            "https://www.npmjs.com/advisories/1560",
            "https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-6506",
            "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html",
            "https://crbug.com/1083819",
            "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E",
            "https://security.gentoo.org/glsa/202007-08",
            "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E",
            "https://security.gentoo.org/glsa/202101-30",
            "https://github.com/react-native-webview/react-native-webview/security/advisories/GHSA-36j3-xxf7-4pqg",
            "https://github.com/advisories/GHSA-36j3-xxf7-4pqg"
          ],
          "uuid": "ccf4051d-b2d7-457f-8b15-94d37c3556a6"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "83.0.4103.106",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "chrome-cve-admin@google.com",
          "ID": "CVE-2020-6506"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html"
            },
            {
              "name": "https://crbug.com/1083819",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Permissions Required",
                "Third Party Advisory"
              ],
              "url": "https://crbug.com/1083819"
            },
            {
              "name": "GLSA-202007-08",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202007-08"
            },
            {
              "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage merged pull request #1123: Added Security Advisory CVE-2020-6506",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2769c33da7f7ece7e4e31837c1e1839d6657c7c13bb8d228670b8da0@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20200929 [GitHub] [cordova-docs] purplecabbage opened a new pull request #1123: Added Security Advisory CVE-2020-6506",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r1eadf38b38ee20405811958c8a01f78d6b28e058c84c9fa6c1a8663d@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201001 [GitHub] [cordova-docs] dpogue commented on issue #1022: Document warnings on using remote source for \u003ccontent\u003e",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r1ab80f8591d5c2147898076e3945dad1c897513630aabec556883275@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201007 [GitHub] [cordova-plugin-inappbrowser] carlpoole opened a new pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/rc0ebe639927fa09e222aa56bf5ad6e700218f334ecc6ba9da4397728@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201116 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz commented on pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/ra58733fbb88d5c513b3f14a14850083d506b9129103e0ab433c3f680@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-issues] 20201117 [GitHub] [cordova-plugin-inappbrowser] NiklasMerz merged pull request #792: fix(android): Add mitigation strategy for CVE-2020-6506",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/rc81e12fc9287f8743d59099b1af40f968f1cfec9eac98a63c2c62c69@%3Cissues.cordova.apache.org%3E"
            },
            {
              "name": "[cordova-commits] 20201117 [cordova-plugin-inappbrowser] branch master updated: fix(android): Add mitigation strategy for CVE-2020-6506 (#792)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/rf082834ad237f78a63671aec0cef8874f9232b7614529cc3d3e304c5@%3Ccommits.cordova.apache.org%3E"
            },
            {
              "name": "GLSA-202101-30",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-30"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-07-21T11:39Z",
      "publishedDate": "2020-07-22T17:15Z"
    }
  }
}

OPENSUSE-SU-2020:0845-1

Vulnerability from csaf_opensuse - Published: 2020-06-22 18:17 - Updated: 2020-06-22 18:17

Summary

Security update for chromium

Severity

Important

Notes

Title of the patch: Security update for chromium

Description of the patch: This update for chromium fixes the following issues: Update to version 83.0.4103.106 (boo#1173029): * CVE-2020-6505: Use after free in speech * CVE-2020-6506: Insufficient policy enforcement in WebView * CVE-2020-6507: Out of bounds write in V8 - Enforce to not use system borders bsc#1173063

Patchnames: openSUSE-2020-845

CVE-2020-6505

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64		—	Vendor Fix

Threats

Impact critical

CVE-2020-6506

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2020-6507

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64		—	Vendor Fix

Threats

Impact important

References

15 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1173029	self
https://bugzilla.suse.com/1173063	self
https://www.suse.com/security/cve/CVE-2020-6505/	self
https://www.suse.com/security/cve/CVE-2020-6506/	self
https://www.suse.com/security/cve/CVE-2020-6507/	self
https://www.suse.com/security/cve/CVE-2020-6505	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6506	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6507	external
https://bugzilla.suse.com/1173029	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for chromium",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for chromium fixes the following issues:\n\nUpdate to version 83.0.4103.106 (boo#1173029):\n\n* CVE-2020-6505: Use after free in speech\n* CVE-2020-6506: Insufficient policy enforcement in WebView\n* CVE-2020-6507: Out of bounds write in V8\n\n- Enforce to not use system borders bsc#1173063\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-845",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0845-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:0845-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6BE6BTOOAZV3CDDRCY2GBOURVD2PTD7Z/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:0845-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6BE6BTOOAZV3CDDRCY2GBOURVD2PTD7Z/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173029",
        "url": "https://bugzilla.suse.com/1173029"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173063",
        "url": "https://bugzilla.suse.com/1173063"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6505 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6505/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6506 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6506/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6507 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6507/"
      }
    ],
    "title": "Security update for chromium",
    "tracking": {
      "current_release_date": "2020-06-22T18:17:35Z",
      "generator": {
        "date": "2020-06-22T18:17:35Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:0845-1",
      "initial_release_date": "2020-06-22T18:17:35Z",
      "revision_history": [
        {
          "date": "2020-06-22T18:17:35Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
                "product": {
                  "name": "chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
                  "product_id": "chromedriver-83.0.4103.106-lp151.2.101.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "chromium-83.0.4103.106-lp151.2.101.1.x86_64",
                "product": {
                  "name": "chromium-83.0.4103.106-lp151.2.101.1.x86_64",
                  "product_id": "chromium-83.0.4103.106-lp151.2.101.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.1",
                "product": {
                  "name": "openSUSE Leap 15.1",
                  "product_id": "openSUSE Leap 15.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromedriver-83.0.4103.106-lp151.2.101.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64"
        },
        "product_reference": "chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromium-83.0.4103.106-lp151.2.101.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
        },
        "product_reference": "chromium-83.0.4103.106-lp151.2.101.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-6505",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6505"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Use after free in speech in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
          "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6505",
          "url": "https://www.suse.com/security/cve/CVE-2020-6505"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6505",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
            "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
            "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-22T18:17:35Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-6505"
    },
    {
      "cve": "CVE-2020-6506",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6506"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
          "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6506",
          "url": "https://www.suse.com/security/cve/CVE-2020-6506"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6506",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
            "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
            "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-22T18:17:35Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-6506"
    },
    {
      "cve": "CVE-2020-6507",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6507"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
          "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6507",
          "url": "https://www.suse.com/security/cve/CVE-2020-6507"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6507",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
            "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:chromedriver-83.0.4103.106-lp151.2.101.1.x86_64",
            "openSUSE Leap 15.1:chromium-83.0.4103.106-lp151.2.101.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-22T18:17:35Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-6507"
    }
  ]
}

OPENSUSE-SU-2020:0856-1

Vulnerability from csaf_opensuse - Published: 2020-06-24 08:19 - Updated: 2020-06-24 08:19

Summary

Security update for chromium

Severity

Important

Notes

Title of the patch: Security update for chromium

Patchnames: openSUSE-2020-856

CVE-2020-6505

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2020-6506

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2020-6507

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64	—	Vendor Fix

Threats

Impact important

References

15 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1173029	self
https://bugzilla.suse.com/1173063	self
https://www.suse.com/security/cve/CVE-2020-6505/	self
https://www.suse.com/security/cve/CVE-2020-6506/	self
https://www.suse.com/security/cve/CVE-2020-6507/	self
https://www.suse.com/security/cve/CVE-2020-6505	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6506	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6507	external
https://bugzilla.suse.com/1173029	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for chromium",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for chromium fixes the following issues:\n\nUpdate to version 83.0.4103.106 (boo#1173029):\n\n* CVE-2020-6505: Use after free in speech\n* CVE-2020-6506: Insufficient policy enforcement in WebView\n* CVE-2020-6507: Out of bounds write in V8\n\n- Enforce to not use system borders bsc#1173063\n\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-856",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0856-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:0856-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SJDQVPRW5ZPS33NMH3JLUTG3Z4DGHHAC/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:0856-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SJDQVPRW5ZPS33NMH3JLUTG3Z4DGHHAC/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173029",
        "url": "https://bugzilla.suse.com/1173029"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173063",
        "url": "https://bugzilla.suse.com/1173063"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6505 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6505/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6506 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6506/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6507 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6507/"
      }
    ],
    "title": "Security update for chromium",
    "tracking": {
      "current_release_date": "2020-06-24T08:19:53Z",
      "generator": {
        "date": "2020-06-24T08:19:53Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:0856-1",
      "initial_release_date": "2020-06-24T08:19:53Z",
      "revision_history": [
        {
          "date": "2020-06-24T08:19:53Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
                "product": {
                  "name": "chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
                  "product_id": "chromedriver-83.0.4103.106-bp151.3.88.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "chromium-83.0.4103.106-bp151.3.88.1.aarch64",
                "product": {
                  "name": "chromium-83.0.4103.106-bp151.3.88.1.aarch64",
                  "product_id": "chromium-83.0.4103.106-bp151.3.88.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
                "product": {
                  "name": "chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
                  "product_id": "chromedriver-83.0.4103.106-bp151.3.88.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "chromium-83.0.4103.106-bp151.3.88.1.x86_64",
                "product": {
                  "name": "chromium-83.0.4103.106-bp151.3.88.1.x86_64",
                  "product_id": "chromium-83.0.4103.106-bp151.3.88.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP1",
                "product": {
                  "name": "SUSE Package Hub 15 SP1",
                  "product_id": "SUSE Package Hub 15 SP1"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromedriver-83.0.4103.106-bp151.3.88.1.aarch64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64"
        },
        "product_reference": "chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromedriver-83.0.4103.106-bp151.3.88.1.x86_64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64"
        },
        "product_reference": "chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromium-83.0.4103.106-bp151.3.88.1.aarch64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64"
        },
        "product_reference": "chromium-83.0.4103.106-bp151.3.88.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromium-83.0.4103.106-bp151.3.88.1.x86_64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
        },
        "product_reference": "chromium-83.0.4103.106-bp151.3.88.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-6505",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6505"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Use after free in speech in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
          "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
          "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
          "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6505",
          "url": "https://www.suse.com/security/cve/CVE-2020-6505"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6505",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-24T08:19:53Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-6505"
    },
    {
      "cve": "CVE-2020-6506",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6506"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
          "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
          "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
          "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6506",
          "url": "https://www.suse.com/security/cve/CVE-2020-6506"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6506",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-24T08:19:53Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-6506"
    },
    {
      "cve": "CVE-2020-6507",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6507"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
          "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
          "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
          "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6507",
          "url": "https://www.suse.com/security/cve/CVE-2020-6507"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6507",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromedriver-83.0.4103.106-bp151.3.88.1.x86_64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.aarch64",
            "SUSE Package Hub 15 SP1:chromium-83.0.4103.106-bp151.3.88.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-24T08:19:53Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-6507"
    }
  ]
}

OPENSUSE-SU-2020:0893-1

Vulnerability from csaf_opensuse - Published: 2020-06-28 12:16 - Updated: 2020-06-28 12:16

Summary

Security update for chromium

Severity

Important

Notes

Title of the patch: Security update for chromium

Description of the patch: This update for chromium fixes the following issues: Chromium was updated to 83.0.4103.116 (boo#1173251): * CVE-2020-6509: Use after free in extensions Chromium was updated to 83.0.4103.106 (boo#1173029): * CVE-2020-6505: Use after free in speech * CVE-2020-6506: Insufficient policy enforcement in WebView * CVE-2020-6507: Out of bounds write in V8 Other fixes: - Add patch to work with new ffmpeg wrt boo#1173292: - Add multimedia fix for disabled location and also try one additional patch from Debian on the same issue boo#1173107 - Disable wayland integration on 15.x boo#1173187 boo#1173188 boo#1173254 - Enforce to not use system borders boo#1173063

Patchnames: openSUSE-2020-893

CVE-2020-6505

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix

Threats

Impact critical

CVE-2020-6506

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix

Threats

Impact moderate

CVE-2020-6507

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix

Threats

Impact important

CVE-2020-6509

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64		—	Vendor Fix

Threats

Impact critical

References

24 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1173029	self
https://bugzilla.suse.com/1173063	self
https://bugzilla.suse.com/1173107	self
https://bugzilla.suse.com/1173187	self
https://bugzilla.suse.com/1173188	self
https://bugzilla.suse.com/1173251	self
https://bugzilla.suse.com/1173254	self
https://bugzilla.suse.com/1173292	self
https://www.suse.com/security/cve/CVE-2020-6505/	self
https://www.suse.com/security/cve/CVE-2020-6506/	self
https://www.suse.com/security/cve/CVE-2020-6507/	self
https://www.suse.com/security/cve/CVE-2020-6509/	self
https://www.suse.com/security/cve/CVE-2020-6505	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6506	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6507	external
https://bugzilla.suse.com/1173029	external
https://www.suse.com/security/cve/CVE-2020-6509	external
https://bugzilla.suse.com/1173251	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for chromium",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for chromium fixes the following issues:\n\nChromium was updated to 83.0.4103.116 (boo#1173251):\n\n* CVE-2020-6509: Use after free in extensions\n\nChromium was updated to 83.0.4103.106 (boo#1173029):\n\n* CVE-2020-6505: Use after free in speech\n* CVE-2020-6506: Insufficient policy enforcement in WebView\n* CVE-2020-6507: Out of bounds write in V8\n\nOther fixes:\n\n- Add patch to work with new ffmpeg wrt boo#1173292:\n- Add multimedia fix for disabled location and also try one\n  additional patch from Debian on the same issue boo#1173107\n- Disable wayland integration on 15.x boo#1173187 boo#1173188\n  boo#1173254\n- Enforce to not use system borders boo#1173063\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-893",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0893-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:0893-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PJ7X57IWGLSUHYBIMARADLW7OWMGZ2JB/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:0893-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PJ7X57IWGLSUHYBIMARADLW7OWMGZ2JB/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173029",
        "url": "https://bugzilla.suse.com/1173029"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173063",
        "url": "https://bugzilla.suse.com/1173063"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173107",
        "url": "https://bugzilla.suse.com/1173107"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173187",
        "url": "https://bugzilla.suse.com/1173187"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173188",
        "url": "https://bugzilla.suse.com/1173188"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173251",
        "url": "https://bugzilla.suse.com/1173251"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173254",
        "url": "https://bugzilla.suse.com/1173254"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173292",
        "url": "https://bugzilla.suse.com/1173292"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6505 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6505/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6506 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6506/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6507 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6507/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-6509 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-6509/"
      }
    ],
    "title": "Security update for chromium",
    "tracking": {
      "current_release_date": "2020-06-28T12:16:33Z",
      "generator": {
        "date": "2020-06-28T12:16:33Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:0893-1",
      "initial_release_date": "2020-06-28T12:16:33Z",
      "revision_history": [
        {
          "date": "2020-06-28T12:16:33Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
                "product": {
                  "name": "chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
                  "product_id": "chromedriver-83.0.4103.116-lp152.2.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "chromium-83.0.4103.116-lp152.2.3.1.x86_64",
                "product": {
                  "name": "chromium-83.0.4103.116-lp152.2.3.1.x86_64",
                  "product_id": "chromium-83.0.4103.116-lp152.2.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.2",
                "product": {
                  "name": "openSUSE Leap 15.2",
                  "product_id": "openSUSE Leap 15.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromedriver-83.0.4103.116-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64"
        },
        "product_reference": "chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "chromium-83.0.4103.116-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
        },
        "product_reference": "chromium-83.0.4103.116-lp152.2.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-6505",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6505"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Use after free in speech in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
          "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6505",
          "url": "https://www.suse.com/security/cve/CVE-2020-6505"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6505",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-28T12:16:33Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-6505"
    },
    {
      "cve": "CVE-2020-6506",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6506"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
          "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6506",
          "url": "https://www.suse.com/security/cve/CVE-2020-6506"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6506",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-28T12:16:33Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-6506"
    },
    {
      "cve": "CVE-2020-6507",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6507"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
          "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6507",
          "url": "https://www.suse.com/security/cve/CVE-2020-6507"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173029 for CVE-2020-6507",
          "url": "https://bugzilla.suse.com/1173029"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-28T12:16:33Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-6507"
    },
    {
      "cve": "CVE-2020-6509",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-6509"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Use after free in extensions in Google Chrome prior to 83.0.4103.116 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
          "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-6509",
          "url": "https://www.suse.com/security/cve/CVE-2020-6509"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173251 for CVE-2020-6509",
          "url": "https://bugzilla.suse.com/1173251"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:chromedriver-83.0.4103.116-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:chromium-83.0.4103.116-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-06-28T12:16:33Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-6509"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-6506 (GCVE-0-2020-6506)

Solution

Solution

Pending mitigation

References

Tags

Sightings

Nomenclature