CVE-2023-26156

Name of the Vulnerable Software and Affected Versions chromedriver versions prior to 119.0.1

Description The issue arises from a Command Injection vulnerability when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system. An attacker must have access to the system running the vulnerable chromedriver library to exploit it, and the success of exploitation depends on the permissions and privileges of the process running chromedriver. The vulnerability may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For versions prior to 119.0.1, update to version 119.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the chromedriver.path setting to minimize the risk of exploitation. Additionally, ensure that the process running chromedriver has limited permissions and privileges to reduce the potential impact of exploitation.