CVE-2018-16081 — Missing Authorization in Google Chrome

CWE-862 — Missing Authorization6 documents6 sources

Severity

7.4HIGHNVD

EPSS

0.2%

top 57.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Redhat Enterprise Linux Desktop Redhat Enterprise Linux Server +1 more

Timeline

PublishedJan 9

Latest updateMay 13

Description

Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system without file access permission via a crafted Chrome Extension.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages5 packages

▶CVEListV5google/chromeunspecified — 69.0.3497.81

▶NVDgoogle/chrome< 69.0.3497.81

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_workstation6.0

🔴Vulnerability Details

GHSA

GHSA-h5rc-j9f7-wmr8: Allowing the chrome↗2022-05-13

▶

CVEList

CVE-2018-16081: Allowing the chrome↗2019-01-09

▶

OSV

CVE-2018-16081: Allowing the chrome↗2019-01-09

▶

📋Vendor Advisories

Red Hat

chromium-browser: Local file access in DevTools↗2018-09-04

▶

💬Community

Bugzilla

CVE-2018-16081 chromium-browser: Local file access in DevTools↗2018-09-05

▶