apk package
chainguard/chromium-lang
pkg:apk/chainguard/chromium-lang
Vulnerabilities (215)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-2176 | — | < 122.0.6261.128-r0 | 122.0.6261.128-r0 | Mar 6, 2024 | Use after free in FedCM in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2024-2174 | — | < 122.0.6261.128-r0 | 122.0.6261.128-r0 | Mar 6, 2024 | Inappropriate implementation in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2024-2173 | — | < 122.0.6261.128-r0 | 122.0.6261.128-r0 | Mar 6, 2024 | Out of bounds memory access in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2018-10229 | — | < 0 | 0 | May 4, 2018 | A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API. | ||
| CVE-2013-6662 | — | < 0 | 0 | Apr 13, 2017 | Google Chrome caches TLS sessions before certificate validation occurs. | ||
| CVE-2013-6647 | Cri | 9.8 | < 0 | 0 | Apr 11, 2017 | A use-after-free in AnimationController::endAnimationUpdate in Google Chrome. | |
| CVE-2016-7153 | Med | 5.3 | < 0 | 0 | Sep 6, 2016 | The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "H | |
| CVE-2016-7152 | Med | 5.3 | < 0 | 0 | Sep 6, 2016 | The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HE | |
| CVE-2015-4000 | Low | 3.7 | < 0 | 0 | May 21, 2015 | The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by D | |
| CVE-2012-4930 | — | < 0 | 0 | Sep 15, 2012 | The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers | ||
| CVE-2012-4929 | — | < 0 | 0 | Sep 15, 2012 | The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing | ||
| CVE-2011-3389 | — | < 0 | 0 | Sep 6, 2011 | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to ob | ||
| CVE-2010-1731 | — | < 0 | 0 | May 6, 2010 | Google Chrome on the HTC Hero allows remote attackers to cause a denial of service (application crash) via JavaScript that writes sequences in an infinite loop. | ||
| CVE-2009-1598 | — | < 0 | 0 | May 11, 2009 | Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document objec | ||
| CVE-2008-5915 | — | < 0 | 0 | Jan 20, 2009 | An unspecified function in the JavaScript implementation in Google Chrome creates and exposes a "temporary footprint" when there is a current login to a web site, which makes it easier for remote attackers to trick a user into acting upon a spoofed pop-up message, aka an "in-sess |
- CVE-2024-2176Mar 6, 2024affected < 122.0.6261.128-r0fixed 122.0.6261.128-r0
Use after free in FedCM in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-2174Mar 6, 2024affected < 122.0.6261.128-r0fixed 122.0.6261.128-r0
Inappropriate implementation in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-2173Mar 6, 2024affected < 122.0.6261.128-r0fixed 122.0.6261.128-r0
Out of bounds memory access in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
- CVE-2018-10229May 4, 2018affected < 0fixed 0
A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.
- CVE-2013-6662Apr 13, 2017affected < 0fixed 0
Google Chrome caches TLS sessions before certificate validation occurs.
- affected < 0fixed 0
A use-after-free in AnimationController::endAnimationUpdate in Google Chrome.
- affected < 0fixed 0
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "H
- affected < 0fixed 0
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HE
- affected < 0fixed 0
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by D
- CVE-2012-4930Sep 15, 2012affected < 0fixed 0
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers
- CVE-2012-4929Sep 15, 2012affected < 0fixed 0
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing
- CVE-2011-3389Sep 6, 2011affected < 0fixed 0
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to ob
- CVE-2010-1731May 6, 2010affected < 0fixed 0
Google Chrome on the HTC Hero allows remote attackers to cause a denial of service (application crash) via JavaScript that writes sequences in an infinite loop.
- CVE-2009-1598May 11, 2009affected < 0fixed 0
Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document objec
- CVE-2008-5915Jan 20, 2009affected < 0fixed 0
An unspecified function in the JavaScript implementation in Google Chrome creates and exposes a "temporary footprint" when there is a current login to a web site, which makes it easier for remote attackers to trick a user into acting upon a spoofed pop-up message, aka an "in-sess
Page 11 of 11