CVE-2021-30538
published 2021-06-07CVE-2021-30538: Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy…
PriorityP274medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
15.73%
96.5th percentile
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| debian | chromium | < chromium 93.0.4577.82-1 (bookworm) | chromium 93.0.4577.82-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 91.0.4472.77 | 91.0.4472.77 | |
| chrome | >= unspecified < 91.0.4472.77 | 91.0.4472.77 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via a crafted HTML page targeting Content Security Policy enforcement in Chrome prior to 91.0.4472.77 and Edge prior to 91.0.864.37 ↗
- ·Fixed in Google Chrome 91.0.4472.77; versions prior to this are vulnerable to CSP bypass ↗
- ·Debian resolved the vulnerability in chromium package version 93.0.4577.82-1 across bookworm, bullseye, forky, sid, and trixie ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Stable Channel Update for Desktop: CVE-2021-30538
vendor_chrome·2021-05-25·CVSS 4.3
CVE-2021-30538 [LOW] Stable Channel Update for Desktop: CVE-2021-30538
Stable Channel Update for Desktop
CVE-2021-30538: Insufficient policy enforcement in content security policy. Reported by Tianze Ding (@D1iv3) of Tencent Security Xuanwu Lab on 2020-08-11 [$1000][ 971231 ] Low CVE-2021-30539: Insufficient policy enforcement in content security policy
Reported by unnamed researcher on 2019-06-05 [$500][ 1184147 ] Low CVE-2021-30540: Incorrect security UI in payments
Severity: low
Microsoft
Chromium: CVE-2021-30538 Insufficient policy enforcement in content security policy
vendor_msrc·2021-05-11·CVSS 4.3
CVE-2021-30538 [MEDIUM] Chromium: CVE-2021-30538 Insufficient policy enforcement in content security policy
Chromium: CVE-2021-30538 Insufficient policy enforcement in content security policy
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
91.0.864.37
5/27/2021
91.0.4472.77
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the
Debian
CVE-2021-30538: chromium - Insufficient policy enforcement in content security policy in Google Chrome prio...
vendor_debian·2021·CVSS 4.3
CVE-2021-30538 [MEDIUM] CVE-2021-30538: chromium - Insufficient policy enforcement in content security policy in Google Chrome prio...
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 93.0.4577.82-1)
bullseye: resolved (fixed in 93.0.4577.82-1)
forky: resolved (fixed in 93.0.4577.82-1)
sid: resolved (fixed in 93.0.4577.82-1)
trixie: resolved (fixed in 93.0.4577.82-1)
GHSA
GHSA-gpxj-hxrf-jj37: Insufficient policy enforcement in content security policy in Google Chrome prior to 91
ghsa_unreviewed·2022-05-24
CVE-2021-30538 [MEDIUM] CWE-863 GHSA-gpxj-hxrf-jj37: Insufficient policy enforcement in content security policy in Google Chrome prior to 91
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
OSV
CVE-2021-30538: Insufficient policy enforcement in content security policy in Google Chrome prior to 91
osv·2021-06-07·CVSS 4.3
CVE-2021-30538 [MEDIUM] CVE-2021-30538: Insufficient policy enforcement in content security policy in Google Chrome prior to 91
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
VulnCheck
Google Chrome Incorrect Authorization
vulncheck·2021·CVSS 4.3
CVE-2021-30538 [MEDIUM] Google Chrome Incorrect Authorization
Google Chrome Incorrect Authorization
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2h-2023.pdf
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.htmlhttps://crbug.com/1115045https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/https://security.gentoo.org/glsa/202107-06https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.htmlhttps://crbug.com/1115045https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/https://security.gentoo.org/glsa/202107-06
2021-06-07
Published
Exploited in the wild