CVE-2024-9959 - Vulnerability Details - OpenCVE

Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00295.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Google Subscribe	Chrome Subscribe

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-5793-1	chromium security update

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
https://issues.chromium.org/issues/368672129

History

Wed, 16 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
CPEs		cpe:2.3:a:google:chrome::::::::
Vendors & Products		Google Google chrome
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 15 Oct 2024 20:30:00 +0000

Type	Values Removed	Values Added
Description		Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses		CWE-416
References		https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html https://issues.chromium.org/issues/368672129

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2024-10-15T20:14:55.331Z

Updated: 2024-10-16T19:58:21.281Z

Reserved: 2024-10-14T21:14:19.101Z

Link: CVE-2024-9959

Vulnrichment

Updated: 2024-10-16T19:58:14.674Z

NVD

Status : Analyzed

Published: 2024-10-15T21:15:12.447

Modified: 2025-01-02T16:02:49.813

Link: CVE-2024-9959

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-416

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9959", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2024-10-14T21:14:19.101Z", "datePublished": "2024-10-15T20:14:55.331Z", "dateUpdated": "2024-10-16T19:58:21.281Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "130.0.6723.58", "status": "affected", "lessThan": "130.0.6723.58", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2024-10-15T20:14:55.331Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/368672129"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "affected": [{"vendor": "google", "product": "chrome", "cpes": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "130.0.6723.58", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-16T19:57:36.414576Z", "id": "CVE-2024-9959", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T19:58:21.281Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-9959", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-16T19:57:36.414576Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "vendor": "google", "product": "chrome", "versions": [{"status": "affected", "version": "0", "lessThan": "130.0.6723.58", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T19:58:14.674Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "130.0.6723.58", "lessThan": "130.0.6723.58", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/368672129"}], "descriptions": [{"lang": "en", "value": "Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-416", "description": "Use after free"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2024-10-15T20:14:55.331Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9959", "state": "PUBLISHED", "dateUpdated": "2024-10-16T19:58:21.281Z", "dateReserved": "2024-10-14T21:14:19.101Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2024-10-15T20:14:55.331Z", "assignerShortName": "Chrome"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E3A8A85-0DF9-4A79-B094-9E59C092581C", "versionEndExcluding": "130.0.6723.58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)"}, {"lang": "es", "value": "El use-after-free en DevTools en Google Chrome anterior a la versi\u00f3n 130.0.6723.58 permiti\u00f3 que un atacante remoto que hab\u00eda comprometido el proceso de renderizaci\u00f3n potencialmente explotara la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una extensi\u00f3n de Chrome manipulada. (Gravedad de seguridad de Chromium: media)"}], "id": "CVE-2024-9959", "lastModified": "2025-01-02T16:02:49.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-15T21:15:12.447", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/368672129"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}