CVE-2020-6550
published 2020-09-21CVE-2020-6550: Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
29.29%
97.9th percentile
Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| debian | chromium | < chromium 87.0.4280.88-0.1 (bookworm) | chromium 87.0.4280.88-0.1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 84.0.4147.125 | 84.0.4147.125 | |
| chrome | >= unspecified < 84.0.4147.125 | 84.0.4147.125 | |
| chrome_chrome | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in Google Chrome versions prior to 84.0.4147.125; target the IndexedDB component for use-after-free heap corruption via a crafted HTML page ↗
- →Upstream Chromium issue tracker bug ID 1106682 tracks the root cause; useful for patch diffing or PoC research ↗
- ·Fixed version for Debian-based systems is 87.0.4280.88-0.1, not the upstream fix version 84.0.4147.125; detection based on version strings should account for both upstream and downstream patch versions ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hr8v-c379-cg85: Use after free in IndexedDB in Google Chrome prior to 84
ghsa_unreviewed·2022-05-24
CVE-2020-6550 [HIGH] CWE-416 GHSA-hr8v-c379-cg85: Use after free in IndexedDB in Google Chrome prior to 84
Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2020-6550: Use after free in IndexedDB in Google Chrome prior to 84
osv·2020-09-21·CVSS 8.8
CVE-2020-6550 [HIGH] CVE-2020-6550: Use after free in IndexedDB in Google Chrome prior to 84
Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Use after free in IndexedDB
vendor_redhat·2020-08-10·CVSS 8.8
CVE-2020-6550 [HIGH] CWE-416 chromium-browser: Use after free in IndexedDB
chromium-browser: Use after free in IndexedDB
Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Chrome
Stable Channel Update for Desktop: CVE-2020-6550
vendor_chrome·2020-08-10·CVSS 8.8
CVE-2020-6550 [HIGH] Stable Channel Update for Desktop: CVE-2020-6550
Stable Channel Update for Desktop
CVE-2020-6550: Use after free in IndexedDB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
[$N/A][ 1107815 ] High CVE-2020-6551: Use after free in WebXR
Reported by Sergei Glazunov of Google Project Zero on 2020-07-21
Severity: high
Debian
CVE-2020-6550: chromium - Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a re...
vendor_debian·2020·CVSS 8.8
CVE-2020-6550 [HIGH] CVE-2020-6550: chromium - Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a re...
Use after free in IndexedDB in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 87.0.4280.88-0.1)
bullseye: resolved (fixed in 87.0.4280.88-0.1)
forky: resolved (fixed in 87.0.4280.88-0.1)
sid: resolved (fixed in 87.0.4280.88-0.1)
trixie: resolved (fixed in 87.0.4280.88-0.1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 chro
bugzilla·2020-08-11·CVSS 8.8
CVE-2020-6542 [HIGH] CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 chro
CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE b
Bugzilla
CVE-2020-6550 chromium-browser: Use after free in IndexedDB
bugzilla·2020-08-11·CVSS 8.8
CVE-2020-6550 [HIGH] CVE-2020-6550 chromium-browser: Use after free in IndexedDB
CVE-2020-6550 chromium-browser: Use after free in IndexedDB
An use after free flaw was found in the IndexedDB component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=1106682
External References:
https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-all [bug 1867957]
Affects: fedora-all [bug 1867956]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2020:3560 https://access.redhat.com/errata/RHSA-2020:3560
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-6550
Bugzilla
CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 chro
bugzilla·2020-08-11·CVSS 8.8
CVE-2020-6542 [HIGH] CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 chro
CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 chromium: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Bugzilla
CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subprocess
bugzilla·2020-02-11·CVSS 7.4
CVE-2020-1734 [HIGH] CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subprocess
CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subprocess
The pipe lookup plugin uses subprocess.Popen() with shell=True. This can be used to run arbitrary commands by overwriting ansible facts and the variable is not escaped by quote plugin.
Discussion:
Acknowledgments:
Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
---
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 1805339]
Affects: fedora-all [bug 1805338]
---
Working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now.
---
This was already reported (see https://github.com/ansible/ansible/issues/6550) but not fixed. The suggested cor
http://packetstormsecurity.com/files/159609/Chrome-WebIDBGetDBNamesCallbacksImpl-SuccessNamesAndVersionsList-Use-After-Free.htmlhttps://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop.htmlhttps://crbug.com/1106682https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE7XWIZBME7JAY7N6CGPET4CLNHHEIVT/https://security.gentoo.org/glsa/202101-30https://www.debian.org/security/2021/dsa-4824http://packetstormsecurity.com/files/159609/Chrome-WebIDBGetDBNamesCallbacksImpl-SuccessNamesAndVersionsList-Use-After-Free.htmlhttps://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop.htmlhttps://crbug.com/1106682https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE7XWIZBME7JAY7N6CGPET4CLNHHEIVT/https://security.gentoo.org/glsa/202101-30https://www.debian.org/security/2021/dsa-4824
2020-09-21
Published