CVE-2021-21117

Published: Feb 9, 2021Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file.

Affected (1)

Products: Google: Chrome

Google

1 product

Chrome

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Chrome	Before 88.0.4324.96

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (4)

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html

Source: chrome-cve-admin@google.com

Release NotesVendor Advisory

https://crbug.com/1137179

Source: chrome-cve-admin@google.com

Permissions RequiredThird Party Advisory

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://crbug.com/1137179

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.