CVE-2022-2163 - OpenCVE

Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Fedoraproject	Extra Packages For Enterprise Linux Fedora
Google	Chrome

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

References

Link	Resource
https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html	Release Notes Vendor Advisory
https://crbug.com/1308341	Permissions Required Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BQRTR4SIUNIHLLPWTGYSDNQK7DYCRSB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H2C4XOJVIILDXTOSMWJXHSQNEXFWSOD7/
https://security.gentoo.org/glsa/202208-25	Third Party Advisory
https://security.gentoo.org/glsa/202208-35	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Chrome

Published: 2022-07-28T01:00:25

Updated: 2022-08-21T07:10:21

Reserved: 2022-06-21T00:00:00

Link: CVE-2022-2163

JSON object: View

NVD Information

Status : Modified

Published: 2022-07-28T02:15:07.367

Modified: 2023-11-07T03:46:15.713

Link: CVE-2022-2163

JSON object: View

Redhat Information

No data.

CWE

CWE-416

{"containers": {"cna": {"affected": [{"product": "Chrome", "vendor": "Google", "versions": [{"lessThan": "103.0.5060.134", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction."}], "problemTypes": [{"descriptions": [{"description": "Use after free", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-21T07:10:21", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://crbug.com/1308341"}, {"tags": ["x_refsource_MISC"], "url": "https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html"}, {"name": "FEDORA-2022-0102ccc2a2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BQRTR4SIUNIHLLPWTGYSDNQK7DYCRSB/"}, {"name": "FEDORA-2022-1d3d5a0341", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H2C4XOJVIILDXTOSMWJXHSQNEXFWSOD7/"}, {"name": "GLSA-202208-25", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-25"}, {"name": "GLSA-202208-35", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-35"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "chrome-cve-admin@google.com", "ID": "CVE-2022-2163", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chrome", "version": {"version_data": [{"version_affected": "<", "version_value": "103.0.5060.134"}]}}]}, "vendor_name": "Google"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use after free"}]}]}, "references": {"reference_data": [{"name": "https://crbug.com/1308341", "refsource": "MISC", "url": "https://crbug.com/1308341"}, {"name": "https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html", "refsource": "MISC", "url": "https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html"}, {"name": "FEDORA-2022-0102ccc2a2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5BQRTR4SIUNIHLLPWTGYSDNQK7DYCRSB/"}, {"name": "FEDORA-2022-1d3d5a0341", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H2C4XOJVIILDXTOSMWJXHSQNEXFWSOD7/"}, {"name": "GLSA-202208-25", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-25"}, {"name": "GLSA-202208-35", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-35"}]}}}}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2022-2163", "datePublished": "2022-07-28T01:00:25", "dateReserved": "2022-06-21T00:00:00", "dateUpdated": "2022-08-21T07:10:21", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "4834B642-5F9E-4B49-946D-C8A5F72AD4EF", "versionEndExcluding": "103.0.5060.134", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB176AC3-3CDA-4DDA-9089-C67B2F73AA62", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction."}, {"lang": "es", "value": "Un uso de memoria previamente liberada en Cast UI and Toolbar en Google Chrome versiones anteriores a 103.0.5060.134, permit\u00eda a un atacante que convenciera a un usuario de instalar una extensi\u00f3n maliciosa explotar potencialmente la corrupci\u00f3n de la pila por medio de la interacci\u00f3n con la interfaz de usuario"}], "id": "CVE-2022-2163", "lastModified": "2023-11-07T03:46:15.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-28T02:15:07.367", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://crbug.com/1308341"}, {"source": "chrome-cve-admin@google.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BQRTR4SIUNIHLLPWTGYSDNQK7DYCRSB/"}, {"source": "chrome-cve-admin@google.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H2C4XOJVIILDXTOSMWJXHSQNEXFWSOD7/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-25"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-35"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}