CVE-2024-0804 in Chrome
Summary
by MITRE • 01/24/2024
Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/17/2024
The vulnerability identified as CVE-2024-0804 represents a critical weakness in the iOS Security UI implementation within Google Chrome browsers. This flaw stems from inadequate policy enforcement mechanisms that fail to properly restrict cross-origin data access, creating a pathway for malicious actors to exploit the browser's security boundaries. The vulnerability specifically affects versions of Chrome prior to 121.0.6167.85, indicating a targeted issue within a particular release cycle that required immediate attention from security teams and users alike.
The technical nature of this vulnerability involves the manipulation of HTML content to bypass security restrictions that should normally prevent unauthorized access to data from different origins. Attackers can craft malicious web pages that exploit the insufficient policy enforcement to extract sensitive information from cross-origin contexts, potentially accessing data that should remain isolated between different websites or domains. This type of vulnerability falls under the category of cross-origin resource sharing (CORS) policy enforcement failures and aligns with CWE-693, which specifically addresses protection mechanism failures in software implementations.
The operational impact of CVE-2024-0804 extends beyond simple data leakage, as it represents a fundamental breakdown in the browser's security model that could enable more sophisticated attacks. Remote attackers can leverage this vulnerability without requiring any local privileges or user interaction beyond visiting a malicious website, making it particularly dangerous in environments where users may encounter untrusted content. The medium severity classification by Chromium security teams indicates that while the vulnerability doesn't allow for complete system compromise, it does provide significant access to cross-origin data that could be exploited for reconnaissance, credential theft, or further attack vectors.
From a threat modeling perspective, this vulnerability maps to several ATT&CK techniques including T1071.001 for application layer protocols and T1566 for credential access through social engineering. The attack surface is particularly concerning for enterprise environments where users may encounter malicious websites through phishing campaigns or compromised web applications. Organizations should consider implementing additional network monitoring and web filtering measures to detect and prevent exploitation attempts while awaiting patch deployment. The vulnerability demonstrates the ongoing challenges in maintaining robust security boundaries within modern browsers that must balance functionality with protection against increasingly sophisticated attacks.
Mitigation strategies should prioritize immediate patching of affected Chrome versions to the recommended 121.0.6167.85 or later releases, as this addresses the core policy enforcement weakness. Security teams should also implement browser hardening measures including disabling unnecessary features, configuring strict content security policies, and monitoring for suspicious cross-origin requests. Network-level protections such as web application firewalls and intrusion detection systems can provide additional defense in depth, though they cannot fully compensate for the underlying browser vulnerability. Regular security assessments should verify that browser configurations align with security best practices and that users maintain updated software versions across all devices.