CVE-2020-6380Incorrect Authorization in Google Chrome

CWE-863Incorrect AuthorizationCWE-20Improper Input Validation9 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 47.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Google ChromeChromiumDebian Chromium+2 more
Timeline
PublishedFeb 11
Latest updateMay 24

Description

Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5google/chromeunspecified79.0.3945.130
NVDgoogle/chrome< 79.0.3945.130
debiandebian/chromium< chromium 79.0.3945.130-1 (bookworm)
Debianchromium/chromium< 79.0.3945.130-1+3

Also affects: Fedora 30

🔴Vulnerability Details

2
GHSA
GHSA-vhfr-653c-g79j: Insufficient policy enforcement in extensions in Google Chrome prior to 792022-05-24
OSV
CVE-2020-6380: Insufficient policy enforcement in extensions in Google Chrome prior to 792020-02-11

📋Vendor Advisories

3
Red Hat
chromium-browser: extension message verification error2020-01-16
Chrome
Stable Channel Update for Desktop: CVE-2020-63802020-01-16
Debian
CVE-2020-6380: chromium - Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.394...2020

💬Community

3
Bugzilla
CVE-2020-6380 chromium-browser: extension message verification error2020-01-21
Bugzilla
CVE-2020-6380 chromium: chromium-browser: extension message verification error [fedora-all]2020-01-21
Bugzilla
CVE-2020-6380 chromium: chromium-browser: extension message verification error [epel-all]2020-01-21