CVE-2022-3047Client-Side Enforcement of Server-Side Security in Google Chrome

CWE-602Client-Side Enforcement of Server-Side SecurityCWE-863Incorrect Authorization6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 68.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Google ChromeChromiumDebian Chromium+3 more
Timeline
PublishedSep 26
Latest updateSep 27

Description

Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

CVEListV5google/chromeunspecified105.0.5195.52
NVDgoogle/chrome< 105.0.5195.52
debiandebian/chromium< chromium 105.0.5195.52-1 (bookworm)
Debianchromium/chromium< 105.0.5195.52-1~deb11u1+3

Also affects: Fedora 37

Patches

Patch: chromereleases.googleblog.comPatch: chromereleases.googleblog.com

🔴Vulnerability Details

2
GHSA
GHSA-4wg5-gh53-4jf5: Insufficient policy enforcement in Extensions API in Google Chrome prior to 1052022-09-27
OSV
CVE-2022-3047: Insufficient policy enforcement in Extensions API in Google Chrome prior to 1052022-09-26

📋Vendor Advisories

3
Microsoft
Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API2022-09-13
Chrome
Stable Channel Update for Desktop: CVE-2022-30472022-08-30
Debian
CVE-2022-3047: chromium - Insufficient policy enforcement in Extensions API in Google Chrome prior to 105....2022