CVE-2017-15403 - OpenCVE

Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Chrome Chrome Os

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html
https://crbug.com/766271

History

No history.

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2019-01-09T19:00:00

Updated: 2024-08-05T19:57:25.836Z

Reserved: 2017-10-17T00:00:00

Link: CVE-2017-15403

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-09T19:29:00.540

Modified: 2023-11-07T02:39:41.490

Link: CVE-2017-15403

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Chrome", "vendor": "Google", "versions": [{"lessThan": "61.0.3163.113", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page."}], "problemTypes": [{"descriptions": [{"description": "Script injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-09T18:57:01", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://crbug.com/766271"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2017-15403", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chrome", "version": {"version_data": [{"version_affected": "<", "version_value": "61.0.3163.113"}]}}]}, "vendor_name": "Google"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Script injection"}]}]}, "references": {"reference_data": [{"name": "https://crbug.com/766271", "refsource": "MISC", "url": "https://crbug.com/766271"}, {"name": "https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html", "refsource": "CONFIRM", "url": "https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:57:25.836Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crbug.com/766271"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html"}]}]}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2017-15403", "datePublished": "2019-01-09T19:00:00", "dateReserved": "2017-10-17T00:00:00", "dateUpdated": "2024-08-05T19:57:25.836Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "A79C7C71-F89D-47B6-B58D-570FA10A5359", "versionEndExcluding": "61.0.3163.113", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "5ACCACAF-7BD6-4C0A-8E6A-67E13D5E341D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page."}, {"lang": "es", "value": "Validaci\u00f3n insuficiente de datos en crosh podr\u00eda conducir a una inyecci\u00f3n de comandos con privilegios de chronos en Networking en Google Chrome, en Chrome OS en versiones anteriores a la 61.0.3163.113, lo que permit\u00eda que un atacante local ejecute c\u00f3digo arbitrario mediante una p\u00e1gina HTML manipulada."}], "id": "CVE-2017-15403", "lastModified": "2023-11-07T02:39:41.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-09T19:29:00.540", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://crbug.com/766271"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}