Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-4846.NASL
HistoryFeb 09, 2021 - 12:00 a.m.

Debian DSA-4846-1 : chromium - security update

2021-02-0900:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
16

8.7 High

AI Score

Confidence

Low

JSON

Several vulnerabilities have been discovered in the chromium web browser.

  • CVE-2020-16044 Ned Williamson discovered a use-after-free issue in the WebRTC implementation.

  • CVE-2021-21117 Rory McNamara discovered a policy enforcement issue in Cryptohome.

  • CVE-2021-21118 Tyler Nighswander discovered a data validation issue in the v8 JavaScript library.

  • CVE-2021-21119 A use-after-free issue was discovered in media handling.

  • CVE-2021-21120 Nan Wang and Guang Gong discovered a use-after-free issue in the WebSQL implementation.

  • CVE-2021-21121 Leecraso and Guang Gong discovered a use-after-free issue in the Omnibox.

  • CVE-2021-21122 Renata Hodovan discovered a use-after-free issue in Blink/WebKit.

  • CVE-2021-21123 Maciej Pulikowski discovered a data validation issue.

  • CVE-2021-21124 Chaoyang Ding discovered a use-after-free issue in the speech recognizer.

  • CVE-2021-21125 Ron Masas discovered a policy enforcement issue.

  • CVE-2021-21126 David Erceg discovered a policy enforcement issue in extensions.

  • CVE-2021-21127 Jasminder Pal Singh discovered a policy enforcement issue in extensions.

  • CVE-2021-21128 Liang Dong discovered a buffer overflow issue in Blink/WebKit.

  • CVE-2021-21129 Maciej Pulikowski discovered a policy enforcement issue.

  • CVE-2021-21130 Maciej Pulikowski discovered a policy enforcement issue.

  • CVE-2021-21131 Maciej Pulikowski discovered a policy enforcement issue.

  • CVE-2021-21132 David Erceg discovered an implementation error in the developer tools.

  • CVE-2021-21133 wester0x01 discovered a policy enforcement issue.

  • CVE-2021-21134 wester0x01 discovered a user interface error.

  • CVE-2021-21135 ndevtk discovered an implementation error in the Performance API.

  • CVE-2021-21136 Shiv Sahni, Movnavinothan V, and Imdad Mohammed discovered a policy enforcement error.

  • CVE-2021-21137 bobbybear discovered an implementation error in the developer tools.

  • CVE-2021-21138 Weipeng Jiang discovered a use-after-free issue in the developer tools.

  • CVE-2021-21139 Jun Kokatsu discovered an implementation error in the iframe sandbox.

  • CVE-2021-21140 David Manouchehri discovered uninitialized memory in the USB implementation.

  • CVE-2021-21141 Maciej Pulikowski discovered a policy enforcement error.

  • CVE-2021-21142 Khalil Zhani discovered a use-after-free issue.

  • CVE-2021-21143 Allen Parker and Alex Morgan discovered a buffer overflow issue in extensions.

  • CVE-2021-21144 Leecraso and Guang Gong discovered a buffer overflow issue.

  • CVE-2021-21145 A use-after-free issue was discovered.

  • CVE-2021-21146 Alison Huffman and Choongwoo Han discovered a use-after-free issue.

  • CVE-2021-21147 Roman Starkov discovered an implementation error in the skia library.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4846. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(146318);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/22");

  script_cve_id(
    "CVE-2020-16044",
    "CVE-2021-21117",
    "CVE-2021-21118",
    "CVE-2021-21119",
    "CVE-2021-21120",
    "CVE-2021-21121",
    "CVE-2021-21122",
    "CVE-2021-21123",
    "CVE-2021-21124",
    "CVE-2021-21125",
    "CVE-2021-21126",
    "CVE-2021-21127",
    "CVE-2021-21128",
    "CVE-2021-21129",
    "CVE-2021-21130",
    "CVE-2021-21131",
    "CVE-2021-21132",
    "CVE-2021-21133",
    "CVE-2021-21134",
    "CVE-2021-21135",
    "CVE-2021-21136",
    "CVE-2021-21137",
    "CVE-2021-21138",
    "CVE-2021-21139",
    "CVE-2021-21140",
    "CVE-2021-21141",
    "CVE-2021-21142",
    "CVE-2021-21143",
    "CVE-2021-21144",
    "CVE-2021-21145",
    "CVE-2021-21146",
    "CVE-2021-21147"
  );
  script_xref(name:"DSA", value:"4846");

  script_name(english:"Debian DSA-4846-1 : chromium - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"Several vulnerabilities have been discovered in the chromium web
browser.

  - CVE-2020-16044
    Ned Williamson discovered a use-after-free issue in the
    WebRTC implementation.

  - CVE-2021-21117
    Rory McNamara discovered a policy enforcement issue in
    Cryptohome.

  - CVE-2021-21118
    Tyler Nighswander discovered a data validation issue in
    the v8 JavaScript library.

  - CVE-2021-21119
    A use-after-free issue was discovered in media handling.

  - CVE-2021-21120
    Nan Wang and Guang Gong discovered a use-after-free
    issue in the WebSQL implementation.

  - CVE-2021-21121
    Leecraso and Guang Gong discovered a use-after-free
    issue in the Omnibox.

  - CVE-2021-21122
    Renata Hodovan discovered a use-after-free issue in
    Blink/WebKit.

  - CVE-2021-21123
    Maciej Pulikowski discovered a data validation issue.

  - CVE-2021-21124
    Chaoyang Ding discovered a use-after-free issue in the
    speech recognizer.

  - CVE-2021-21125
    Ron Masas discovered a policy enforcement issue.

  - CVE-2021-21126
    David Erceg discovered a policy enforcement issue in
    extensions.

  - CVE-2021-21127
    Jasminder Pal Singh discovered a policy enforcement
    issue in extensions.

  - CVE-2021-21128
    Liang Dong discovered a buffer overflow issue in
    Blink/WebKit.

  - CVE-2021-21129
    Maciej Pulikowski discovered a policy enforcement issue.

  - CVE-2021-21130
    Maciej Pulikowski discovered a policy enforcement issue.

  - CVE-2021-21131
    Maciej Pulikowski discovered a policy enforcement issue.

  - CVE-2021-21132
    David Erceg discovered an implementation error in the
    developer tools.

  - CVE-2021-21133
    wester0x01 discovered a policy enforcement issue.

  - CVE-2021-21134
    wester0x01 discovered a user interface error.

  - CVE-2021-21135
    ndevtk discovered an implementation error in the
    Performance API.

  - CVE-2021-21136
    Shiv Sahni, Movnavinothan V, and Imdad Mohammed
    discovered a policy enforcement error.

  - CVE-2021-21137
    bobbybear discovered an implementation error in the
    developer tools.

  - CVE-2021-21138
    Weipeng Jiang discovered a use-after-free issue in the
    developer tools.

  - CVE-2021-21139
    Jun Kokatsu discovered an implementation error in the
    iframe sandbox.

  - CVE-2021-21140
    David Manouchehri discovered uninitialized memory in the
    USB implementation.

  - CVE-2021-21141
    Maciej Pulikowski discovered a policy enforcement error.

  - CVE-2021-21142
    Khalil Zhani discovered a use-after-free issue.

  - CVE-2021-21143
    Allen Parker and Alex Morgan discovered a buffer
    overflow issue in extensions.

  - CVE-2021-21144
    Leecraso and Guang Gong discovered a buffer overflow
    issue.

  - CVE-2021-21145
    A use-after-free issue was discovered.

  - CVE-2021-21146
    Alison Huffman and Choongwoo Han discovered a
    use-after-free issue.

  - CVE-2021-21147
    Roman Starkov discovered an implementation error in the
    skia library.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-16044");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21117");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21118");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21119");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21120");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21121");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21122");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21123");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21124");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21125");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21126");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21127");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21128");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21129");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21130");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21131");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21132");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21133");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21134");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21135");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21136");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21137");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21138");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21139");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21140");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21141");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21142");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21143");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21144");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21145");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21146");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21147");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/chromium");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/chromium");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2021/dsa-4846");
  script_set_attribute(attribute:"solution", value:
"Upgrade the chromium packages.

For the stable distribution (buster), these problems have been fixed
in version 88.0.4324.146-1~deb10u1.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-21117");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-21146");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/02/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/02/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:chromium");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"10.0", prefix:"chromium", reference:"88.0.4324.146-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"chromium-common", reference:"88.0.4324.146-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"chromium-driver", reference:"88.0.4324.146-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"chromium-l10n", reference:"88.0.4324.146-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"chromium-sandbox", reference:"88.0.4324.146-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"chromium-shell", reference:"88.0.4324.146-1~deb10u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxchromiump-cpe:/a:debian:debian_linux:chromium
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0

References

Related

kaspersky 5
fedora 4
nessus 16
freebsd 2
debian 1
archlinux 3
openvas 16
chrome 2
gentoo 1
mageia 1
veracode 19
cvelist 22
mscve 18
debiancve 20
prion 19
alpinelinux 10
ubuntucve 20
cve 19
redhatcve 1
kaspersky
kaspersky
KLA12178 Multiple vulnerabilities in Opera
2021-02-03 00:00:00
KLA12048 Multiple vulnerabilities in Google Chrome
2021-01-19 00:00:00
KLA12049 Multiple vulnerabilities in Microsoft Browsers
2021-01-21 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: chromium-88.0.4324.96-1.fc32
2021-01-31 01:10:19
[SECURITY] Fedora 33 Update: chromium-88.0.4324.96-1.fc33
2021-01-24 01:30:29
[SECURITY] Fedora 32 Update: chromium-88.0.4324.150-1.fc32
2021-02-17 05:09:44
nessus
nessus
Fedora 32 : chromium (2021-b7cc24375b)
2021-02-01 00:00:00
Google Chrome < 88.0.4324.96 Multiple Vulnerabilities
2021-01-19 00:00:00
openSUSE Security Update : chromium (openSUSE-2021-173)
2021-02-01 00:00:00
freebsd
freebsd
chromium -- multiple vulnerabilities
2021-01-19 00:00:00
www/chromium -- multiple vulnerabilities
2021-02-02 00:00:00
debian
debian
[SECURITY] [DSA 4846-1] chromium security update
2021-02-07 19:07:28
archlinux
archlinux
[ASA-202102-4] vivaldi: multiple issues
2021-02-06 00:00:00
[ASA-202102-5] opera: multiple issues
2021-02-06 00:00:00
[ASA-202102-6] chromium: multiple issues
2021-02-06 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-4846-1)
2021-02-09 00:00:00
Fedora: Security Advisory for chromium (FEDORA-2021-b7cc24375b)
2021-02-01 00:00:00
Fedora: Security Advisory for chromium (FEDORA-2021-48866282e5)
2021-01-25 00:00:00
chrome
chrome
Stable Channel Update for Desktop
2021-01-19 00:00:00
Stable Channel Update for Desktop
2021-02-02 00:00:00
gentoo
gentoo
Chromium, Google Chrome: Multiple vulnerabilities
2021-01-22 00:00:00
mageia
mageia
Updated qtwebengine5 packages fix security vulnerabilities
2021-08-15 11:38:04
veracode
veracode
Denial Of Service (DoS)
2021-01-22 21:32:18
Sandbox Restrictions Bypass
2021-01-22 21:31:44
Privilege Escalation
2021-01-22 21:32:26
cvelist
cvelist
CVE-2021-21134
2021-02-09 13:56:06
CVE-2021-21117
2021-02-09 13:55:55
CVE-2021-21140
2021-02-09 13:56:10
mscve
mscve
Chromium CVE-2021-21130: Insufficient policy enforcement in File System API
2021-01-21 08:00:00
Chromium CVE-2021-21119: Use after free in Media
2021-01-21 08:00:00
Chromium CVE-2021-21132: Inappropriate implementation in DevTools
2021-01-21 08:00:00
debiancve
debiancve
CVE-2021-21117
2021-02-09 14:15:15
CVE-2021-21142
2021-02-09 15:15:13
CVE-2021-21122
2021-02-09 14:15:15
prion
prion
Double free
2021-02-09 15:15:00
Design/Logic Flaw
2021-02-09 14:15:00
Design/Logic Flaw
2021-02-09 14:15:00
alpinelinux
alpinelinux
CVE-2021-21146
2021-02-09 15:15:13
CVE-2021-21132
2021-02-09 14:15:16
CVE-2021-21138
2021-02-09 14:15:16
ubuntucve
ubuntucve
CVE-2021-21133
2021-02-09 00:00:00
CVE-2021-21138
2021-02-09 00:00:00
CVE-2021-21144
2021-02-09 00:00:00
cve
cve
CVE-2021-21138
2021-02-09 14:15:16
CVE-2021-21129
2021-02-09 14:15:16
CVE-2021-21122
2021-02-09 14:15:15
redhatcve
redhatcve
CVE-2021-21131
2022-05-20 22:45:08

8.7 High

AI Score

Confidence

Low

JSON
Related for DEBIAN_DSA-4846.NASL
kaspersky5fedora4nessus16freebsd2debian1archlinux3openvas16chrome2gentoo1mageia1veracode19cvelist22mscve18debiancve20prion19alpinelinux10ubuntucve20cve19redhatcve1