CVE-2023-1227 — Use After Free in Google Chrome

CWE-416 — Use After Free CWE-611 — XML External Entity (XXE) Injection CWE-79 — Cross-site Scripting CWE-22 — Path Traversal11 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 51.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Chromium Debian Chromium +1 more

Timeline

PublishedMar 7

Latest updateSep 6

Description

Use after free in Core in Google Chrome on Lacros prior to 111.0.5563.64 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via crafted UI interaction. (Chromium security severity: Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5google/chrome111.0.5563.64 — 111.0.5563.64

▶NVDgoogle/chrome< 111.0.5563.64

▶googlegoogle/chrome_chrome

▶debiandebian/chromium< chromium 111.0.5563.64-1 (bookworm)

▶Debianchromium/chromium< 111.0.5563.64-1~deb11u1+3

🔴Vulnerability Details

GHSA

Job Configuration History Plugin's path traversal allows exploiting XXE vulnerability↗2023-09-06

▶

GHSA

XSS vulnerability in Jenkins Job Configuration History Plugin↗2023-09-06

▶

GHSA

Path traversal in Jenkins Job Configuration History Plugin↗2023-09-06

▶

GHSA

Path traversal allows exploiting XXE vulnerability in Jenkins Job Configuration History Plugin↗2023-09-06

▶

GHSA

GHSA-jh2x-5f5p-c896: Use after free in Core in Google Chrome on Lacros prior to 111↗2023-03-08

▶

📋Vendor Advisories

Chrome

Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-1227↗2023-03-09

▶

Chrome

Stable Channel Update for Desktop: CVE-2023-1225↗2023-03-07

▶

Debian

CVE-2023-1227: chromium - Use after free in Core in Google Chrome on Lacros prior to 111.0.5563.64 allowed...↗2023

▶

💬Community

Bugzilla

CVE-2023-3966 openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet↗2023-03-15

▶