CVE-2021-21177
published 2021-03-09CVE-2021-21177: Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from…
PriorityP339medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
17.29%
96.7th percentile
Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| debian | chromium | < chromium 89.0.4389.82-1 (bookworm) | chromium 89.0.4389.82-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 89.0.4389.72 | 89.0.4389.72 | |
| chrome | >= unspecified < 89.0.4389.72 | 89.0.4389.72 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8cgc-7wjm-rf9r: Insufficient policy enforcement in Autofill in Google Chrome prior to 89
ghsa_unreviewed·2022-05-24
CVE-2021-21177 [MEDIUM] CWE-287 GHSA-8cgc-7wjm-rf9r: Insufficient policy enforcement in Autofill in Google Chrome prior to 89
Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
OSV
CVE-2021-21177: Insufficient policy enforcement in Autofill in Google Chrome prior to 89
osv·2021-03-09·CVSS 6.5
CVE-2021-21177 [MEDIUM] CVE-2021-21177: Insufficient policy enforcement in Autofill in Google Chrome prior to 89
Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Microsoft
Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill
vendor_msrc·2021-03-09·CVSS 6.5
CVE-2021-21177 [MEDIUM] Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill
Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 do
Chrome
Stable Channel Update for Desktop: CVE-2021-21177
vendor_chrome·2021-03-02·CVSS 6.5
CVE-2021-21177 [MEDIUM] Stable Channel Update for Desktop: CVE-2021-21177
Stable Channel Update for Desktop
CVE-2021-21177: Insufficient policy enforcement in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03 [$TBD][ 1174186 ] Medium CVE-2021-21178: Inappropriate implementation in Compositing
Reported by Japong on 2021-02-03 [$TBD][ 1174943 ] Medium CVE-2021-21179: Use after free in Network Internals
Severity: medium
Debian
CVE-2021-21177: chromium - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389....
vendor_debian·2021·CVSS 6.5
CVE-2021-21177 [MEDIUM] CVE-2021-21177: chromium - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389....
Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 89.0.4389.82-1)
bullseye: resolved (fixed in 89.0.4389.82-1)
forky: resolved (fixed in 89.0.4389.82-1)
sid: resolved (fixed in 89.0.4389.82-1)
trixie: resolved (fixed in 89.0.4389.82-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.htmlhttps://crbug.com/1173879https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4886https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.htmlhttps://crbug.com/1173879https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4886
2021-03-09
Published