PT-2024-1087 · Google+3 · Google Chrome+3

Malcolm Stagg

Published

2024-01-09

Updated

2024-11-29

CVE-2024-0333

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 120.0.6099.216

Description Insufficient data validation in Extensions in Google Chrome allowed an attacker in a privileged network position to install a malicious extension via a crafted HTML page. The issue is related to the CRX3 File Signature Verification Bypass via Embedded ZIP64 Payload. This could have enabled attackers to sneak in malicious extensions.

Recommendations For versions prior to 120.0.6099.216, update to version 120.0.6099.216 or later to resolve the issue. As a temporary workaround, consider restricting the installation of extensions from untrusted sources until the update is applied.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2024-10294

ALT-PU-2024-14286

ALT-PU-2024-14830

ALT-PU-2024-2062

ALT-PU-2024-3216

ALT-PU-2024-4232

ALT-PU-2024-4260

ALT-PU-2024-4381

ALT-PU-2024-6148

BDU:2024-00348

CVE-2024-0333

DSA-5598-1

MGASA-2024-0011

OPENSUSE-SU-2024:0020-1

OPENSUSE-SU-2024:13583-1

OPENSUSE-SU-2024:13585-1

OPENSUSE-SU-2024:14001-1

Affected Products

Alt Linux

Astra Linux

Google Chrome

Red Os

PT-2024-1087 · Google+3 · Google Chrome+3

CVE-2024-0333

Weakness Enumeration

Related Identifiers

Affected Products

References · 89