CVE-2023-2939Link Following in Google Chrome

CWE-59Link Following6 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 93.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Google ChromeChromiumDebian Chromium+2 more
Timeline
PublishedMay 30
Latest updateJun 13

Description

Insufficient data validation in Installer in Google Chrome on Windows prior to 114.0.5735.90 allowed a local attacker to perform privilege escalation via crafted symbolic link. (Chromium security severity: Medium)

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5google/chrome114.0.5735.90114.0.5735.90
NVDgoogle/chrome< 114.0.5735.90
debiandebian/chromium< chromium 114.0.5735.90-2~deb12u1 (bookworm)
Debianchromium/chromium< 114.0.5735.90-2~deb11u1+3

🔴Vulnerability Details

2
GHSA
GHSA-vpfc-9392-2w4q: Insufficient data validation in Installer in Google Chrome on Windows prior to 1142023-05-31
OSV
CVE-2023-2939: Insufficient data validation in Installer in Google Chrome on Windows prior to 1142023-05-30

📋Vendor Advisories

3
Microsoft
Chromium: CVE-2023-2939 Insufficient data validation in Installer2023-06-13
Chrome
Stable Channel Update for Desktop: CVE-2023-29372023-05-30
Debian
CVE-2023-2939: chromium - Insufficient data validation in Installer in Google Chrome on Windows prior to 1...2023