CVE-2024-3847 in Chromeinfo

Summary

by MITRE • 04/17/2024

Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2025

The vulnerability identified as CVE-2024-3847 represents a significant weakness in Google Chrome's WebUI security architecture that existed prior to version 124.0.6367.60. This flaw manifests as insufficient policy enforcement within the browser's web user interface component, creating a pathway for malicious actors to circumvent critical security controls. The issue specifically affects the content security policy implementation, which serves as a fundamental defense mechanism against cross-site scripting attacks and other web-based exploits. Content security policies are designed to prevent unauthorized script execution and restrict the sources from which content can be loaded, making their bypass particularly concerning for browser security.

The technical nature of this vulnerability stems from inadequate validation and enforcement mechanisms within Chrome's WebUI subsystem. When users interact with web pages, the browser's content security policy should rigorously enforce restrictions on script execution, resource loading, and other potentially dangerous operations. However, this flaw allows remote attackers to craft specially designed HTML pages that can bypass these protective measures. The vulnerability operates at the policy enforcement layer, where the system fails to properly validate or apply security constraints that should normally prevent malicious code from executing within the browser context. This represents a failure in the browser's security model implementation, specifically in how it handles policy enforcement for web user interface components.

The operational impact of CVE-2024-3847 extends beyond simple privilege escalation, as it enables attackers to potentially execute arbitrary code on affected systems through crafted web content. Remote attackers can leverage this vulnerability by hosting malicious HTML pages that exploit the insufficient policy enforcement to bypass content security restrictions. This could allow for various malicious activities including credential theft, data exfiltration, or further exploitation of the victim's system. The low severity classification from Chromium security team does not diminish the potential risk, as content security policy bypasses often serve as stepping stones for more sophisticated attacks. The vulnerability affects all users of affected Chrome versions, creating a broad attack surface that could be exploited through various delivery mechanisms including phishing campaigns, malicious websites, or compromised web applications.

Mitigation strategies for CVE-2024-3847 primarily focus on immediate remediation through browser updates to version 124.0.6367.60 or later, which contains the necessary patches to address the insufficient policy enforcement issue. Organizations should prioritize updating their Chrome installations across all affected systems and implement automated update mechanisms where possible. Security teams should also consider implementing additional network-level protections such as web application firewalls that can detect and block malicious HTML content, though these measures should complement rather than replace the core browser updates. The vulnerability aligns with CWE-693, which addresses protection mechanism failures, and relates to ATT&CK technique T1059.004 for scripting languages and T1566 for social engineering attacks that could leverage this weakness. Regular security assessments should include verification of browser versions and security configurations to ensure that such policy enforcement gaps are not present in the organization's attack surface.

Reservation

04/15/2024

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00801

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!