CVE-2020-15961

Description

Insufficient policy validation in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.35%• Percentile: 80%

Affected Systems

• debian•debian_linux

  10.0

• fedoraproject•fedora

  31 | 32 | 33

• google•chrome

  < 85.0.4183.121 | ≥ unspecified, < 85.0.4183.121

• opensuse•backports_sle

  15.0:sp1 | 15.0:sp2

• opensuse•leap

  15.1 | 15.2

References (12)

• https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html
• https://crbug.com/1114636
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00087.html
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00095.html
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00096.html
• https://security.gentoo.org/glsa/202009-13
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNIYFJST4TFJYFZ27VODBOINCLBGULTD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FN7HZIGAOCZKBT4LV363BCPRA5FLY25I/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWNBJFBPKYCYSZTS54FHNCRZG6KC2AIJ/
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00049.html
• https://www.debian.org/security/2021/dsa-4824
• https://security.gentoo.org/glsa/202101-30