CVE-2021-38003

Name of the Vulnerable Software and Affected Versions Chromium versions prior to 97.0.4692.71-0.1~deb11u1 qtwebengine5 version 5.15.8 ungoogled-chromium version 113.0.5672.92-1.1 chromedriver version 95.0.4638.69-1.1 nodejs-electron version 13.6.2-1.1 Chromium-gost versions 96.0.4664.45-alt2.c9.1 and 96.0.4664.45-alt2.p9.1 and 96.0.4664.45-alt2.p10.1 Chromium versions prior to 95.0.4638.69 MosOS (affected versions not specified) OpenSUSE (affected versions not specified)

Description Multiple security issues were discovered in Chromium, potentially leading to arbitrary code execution, denial of service, or information disclosure. A heap corruption issue in the V8 JavaScript and WebAssembly engine, present in versions prior to 95.0.4638.69, could be exploited through a crafted HTML page. In some instances, malicious mods were distributed for the game Dota 2 via the Steam store, containing backdoors and exploiting the Chrome vulnerability CVE-2021-38003. These mods included Overdog no annoying heroes, Custom Hero Brawl, and Overthrow RTZ Edition X10 XP. The malicious code within these mods could be used for logging, executing system commands, creating coroutines, and sending HTTP GET requests. Security support for Chromium has been discontinued for the 'buster' distribution due to toolchain limitations. The evil.lua file was used to test server-side Lua execution capabilities.

Recommendations Upgrade Chromium to version 97.0.4692.71-0.1~deb11u1. Upgrade qtwebengine5 to version 5.15.8. Upgrade ungoogled-chromium to version 113.0.5672.92-1.1. Upgrade chromedriver to version 95.0.4638.69-1.1. Upgrade nodejs-electron to version 13.6.2-1.1. Upgrade chromium-gost to versions 96.0.4664.45-alt2.p10.1. Upgrade Chromium to a version later than 95.0.4638.69. At the moment, there is no information about a newer version that contains a fix for this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.