A vulnerability classified as critical was found in Google Chrome (Web Browser). Affected by this vulnerability is an unknown code block of the component Protocol Handler. The manipulation as part of a HTML Page leads to a privileges management vulnerability. The CWE definition for the vulnerability is CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Inappropriate implementation in external protocol handlers in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

The weakness was published 07/22/2020 (Website). The advisory is shared at chromereleases.googleblog.com. This vulnerability is known as CVE-2020-6522 since 01/08/2020. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 07/23/2020). It is expected to see the exploit prices for this product increasing in the near future.MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 84.0.4147.89 eliminates this vulnerability.

Similar entries are available at 158893, 158894, 158895 and 158896.

Productinfo

Type

• Web Browser

Vendor

• Google

Name

• Chrome

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion