CVE-2017-5081
low
CVSS v3
3.3
CVSS v2
2.1
VIR risk
3.3
Description
Lack of verification of an extension's locale folder in Google Chrome prior to 59.0.3071.86 for Mac, Windows, and Linux, and 59.0.3071.92 for Android, allowed an attacker with local write access to modify extensions by modifying extension files.
Predictions
Exploit likelihood
34%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: arch — https://security.archlinux.org/ASA-201706-8
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 59.0.3071.86-1 | |
| rhel | 6.0 | affected | |
| macos | - | not-affected | |
| linux-kernel | - | not-affected | |
| debian | 9.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| chrome | {"endExcluding":"59.0.3071.86"} | 59.0.3071.86 |
References
- https://security.archlinux.org/ASA-201706-8
- http://www.securityfocus.com/bid/98861
- http://www.securitytracker.com/id/1038622
- https://access.redhat.com/errata/RHSA-2017:1399
- https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html
- https://crbug.com/672008
- https://security.gentoo.org/glsa/201706-20
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.