{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-093.pdf"
    },
    "title": "High Vulnerabilities in Google Chrome",
    "serial_number": "2023-093",
    "publish_date": "29-11-2023 17:08:09",
    "description": "On November 28, Google has released an emergency security update to address six high vulnerabilities found in Chrome. Google is aware that an exploit exists for one of the vulnerabilities, tracked as \"CVE-2023-6345\".<br>\n",
    "url_title": "2023-093",
    "content_markdown": "--- \ntitle: 'High Vulnerabilities in Google Chrome' \nversion: '1.0'\nnumber: '2023-093'\noriginal_date: 'November 28, 2023'\ndate: 'November 29, 2023'\n---\n\n_History:_\n\n* _29/11/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn November 28, Google has released an emergency security update to address six high vulnerabilities found in Chrome. Google is aware that an exploit exists for one of the vulnerabilities, tracked as `CVE-2023-6345` [1].\n\n# Technical Details\n\nThe high-severity zero-day vulnerability `CVE-2023-6345` is caused by an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products like ChromeOS, Android, and Flutter) [2].\n\nThe other vulnerabilities are:\n\n- CVE-2023-6348: Type Confusion in `Spellcheck`.\n- CVE-2023-6347: Use after free in `Mojo`.\n- CVE-2023-6346: Use after free in `WebAudio`.\n- CVE-2023-6350: Out of bounds memory access in `libavif`.\n- CVE-2023-6351: Use after free in `libavif`.\n\n# Affected Products\n\nGoogle Chrome version prior to 119.0.6045.199 for Mac and Linux and prior to 119.0.6045.199/.200 for Windows are affected by these vulnerabilities. Other Chromium related projects depending on the `Skia` library might also be affected.\n\n# Recommendations\n\nUpdate the affected products to the latest versions available as soon as possible to mitigate the vulnerabilities. \n\n# References\n\n[1] <https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html>\n\n[2] <https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/11/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 28, Google has released an emergency security update to address six high vulnerabilities found in Chrome. Google is aware that an exploit exists for one of the vulnerabilities, tracked as <code>CVE-2023-6345</code> [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>The high-severity zero-day vulnerability <code>CVE-2023-6345</code> is caused by an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products like ChromeOS, Android, and Flutter) [2].</p><p>The other vulnerabilities are:</p><ul><li>CVE-2023-6348: Type Confusion in <code>Spellcheck</code>.</li><li>CVE-2023-6347: Use after free in <code>Mojo</code>.</li><li>CVE-2023-6346: Use after free in <code>WebAudio</code>.</li><li>CVE-2023-6350: Out of bounds memory access in <code>libavif</code>.</li><li>CVE-2023-6351: Use after free in <code>libavif</code>.</li></ul><h2 id=\"affected-products\">Affected Products</h2><p>Google Chrome version prior to 119.0.6045.199 for Mac and Linux and prior to 119.0.6045.199/.200 for Windows are affected by these vulnerabilities. Other Chromium related projects depending on the <code>Skia</code> library might also be affected.</p><h2 id=\"recommendations\">Recommendations</h2><p>Update the affected products to the latest versions available as soon as possible to mitigate the vulnerabilities. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html\">https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/\">https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}