CVE-2022-0971 An attacker who compromised the renderer process could potentially exploit heap corruption after an FFADV in GAE before 99.0.4844.74.

CVE-2022-0971 An attacker who compromised the renderer process could potentially exploit heap corruption after an FFADV in GAE before 99.0.4844.74.

This issue was addressed by improved validation of renderer process script origins. After the renderer process is created, origin restrictions are now enforced.

CVE-2018-5407: Google Chrome prior to version 72 did not properly restrict the renderer process’s access to the file system.

As a result, an attacker could potentially have established a remote channel to download and run arbitrary code on the device.

CVE-2018-5408: Google Chrome prior to version 72 allowed renderer processes to access content on local filesystems, which resulted in renderer processes being able to modify local files.

As a result, an attacker could potentially have established a remote channel to inject or steal local files.

CVE-2018-5409: Google Chrome prior to version 72 allowed renderer processes to access the file system, which resulted in renderer processes being able to read local files.
Factory data storage in Chrome prior to version 72 allowed renderer processes to access local files, which could lead to local files being exposed.

As a result, an attacker could potentially have established a remote channel to steal sensitive information from local files.

CVE-2018-5410: Google Chrome prior to version 72 allowed renderer processes to access the file system, which resulted in renderer processes being able to read local files.

Factory data storage in Chrome prior to version 72 allowed renderer processes to access local files, which could lead to local files

Authentication and session management

CVE-2018-5411: Google Chrome prior to version 72 allowed renderer processes to control the browser's clipboard, which could lead to data being exposed.

As a result, an attacker could potentially have established a remote channel to steal sensitive information from the clipboard.

CVE-2018-5412: Google Chrome prior to version 72 allowed renderer processes to access content on local filesystems, which resulted in an attacker being able to modify local files.
Factory data storage in Chrome prior to version 72 allowed renderer processes to access content on local filesystems, which could lead to an attacker being able to modify local files.

Protect Server Side Resources With Origin Verification

Server side resources, like scripts and stylesheets, should be protected with server-side origin validation.

Chrome OS

Security Enhancements
The following security enhancements have been implemented in Chrome OS:

- Enhanced sandboxing with a new entropy source.
- New app sandboxing policy.
- Improved policy enforcement checks to prevent privilege escalation.
- App can now be prevented from accessing USB devices without user approval.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe