CVE-2021-30605 - OpenCVE

Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Chrome Os Readiness Tool
Microsoft	Windows 10 Windows 7 Windows 8.1

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome_os_readiness_tool:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_10:-:::::::*
	cpe:2.3:o:microsoft:windows_7:-:::::::*
	cpe:2.3:o:microsoft:windows_8.1:-:::::::*

No data.

References

Link	Providers
https://bit.ly/37CS6G9
https://crbug.com/1240952

History

No history.

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2021-09-08T20:35:16

Updated: 2024-08-03T22:40:30.920Z

Reserved: 2021-04-13T00:00:00

Link: CVE-2021-30605

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-08T21:15:10.243

Modified: 2021-09-15T15:58:32.900

Link: CVE-2021-30605

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Chrome", "vendor": "Google", "versions": [{"lessThan": "1.0.2.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls."}], "problemTypes": [{"descriptions": [{"description": "Inappropriate implementation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-08T20:35:16", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://crbug.com/1240952"}, {"tags": ["x_refsource_MISC"], "url": "https://bit.ly/37CS6G9"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "chrome-cve-admin@google.com", "ID": "CVE-2021-30605", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chrome", "version": {"version_data": [{"version_affected": "<", "version_value": "1.0.2.0"}]}}]}, "vendor_name": "Google"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Inappropriate implementation"}]}]}, "references": {"reference_data": [{"name": "https://crbug.com/1240952", "refsource": "MISC", "url": "https://crbug.com/1240952"}, {"name": "https://bit.ly/37CS6G9", "refsource": "MISC", "url": "https://bit.ly/37CS6G9"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:40:30.920Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crbug.com/1240952"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bit.ly/37CS6G9"}]}]}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2021-30605", "datePublished": "2021-09-08T20:35:16", "dateReserved": "2021-04-13T00:00:00", "dateUpdated": "2024-08-03T22:40:30.920Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome_os_readiness_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D31D89F-32B2-475E-A7F7-63ACD9AB83B3", "versionEndExcluding": "1.0.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "matchCriteriaId": "21540673-614A-4D40-8BD7-3F07723803B0", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "matchCriteriaId": "E33796DB-4523-4F04-B564-ADF030553D51", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "matchCriteriaId": "E93068DB-549B-45AB-8E5C-00EB5D8B5CF8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls."}, {"lang": "es", "value": "Una implementaci\u00f3n inapropiada en el instalador de ChromeOS Readiness Tool en Windows versiones anteriores a 1.0.2.0, afloja los derechos de acceso de DCOM en dos objetos, permitiendo a un atacante omitir potencialmente los controles de acceso discrecionales"}], "id": "CVE-2021-30605", "lastModified": "2021-09-15T15:58:32.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-08T21:15:10.243", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://bit.ly/37CS6G9"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://crbug.com/1240952"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}