CVE-2018-18358 — Improper Input Validation in Google Chrome

CWE-20 — Improper Input Validation7 documents7 sources

Severity

5.7MEDIUMNVD

EPSS

0.1%

top 70.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Chromium Debian Linux +3 more

Timeline

PublishedDec 11

Latest updateMay 14

Description

Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an attacker on the local network segment to proxy resources on localhost via a crafted WPAD file.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5google/chromeunspecified — 71.0.3578.80

▶NVDgoogle/chrome< 71.0.3578.80

▶Debianchromium/chromium< 71.0.3578.80-1+3

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

GHSA-x2qc-mfcw-3v2v: Lack of special casing of localhost in WPAD files in Google Chrome prior to 71↗2022-05-14

▶

CVEList

CVE-2018-18358: Lack of special casing of localhost in WPAD files in Google Chrome prior to 71↗2018-12-11

▶

OSV

CVE-2018-18358: Lack of special casing of localhost in WPAD files in Google Chrome prior to 71↗2018-12-11

▶

📋Vendor Advisories

Red Hat

chromium-browser: Insufficient policy enforcement in Proxy↗2018-12-04

▶

Debian

CVE-2018-18358: chromium - Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0...↗2018

▶

💬Community

Bugzilla

CVE-2018-18358 chromium-browser: Insufficient policy enforcement in Proxy↗2018-12-05

▶