CVE-2024-7023

Improper Input Validation (CWE-20)

Published: Sep 23, 2024 / Updated: 57d ago

010
CVSS 8EPSS 0.04%High
CVE info copied to clipboard

Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7023

Sep 23, 2024 at 11:15 PM
First Article

Feedly found the first article mentioning CVE-2024-7023. See article

Sep 23, 2024 at 11:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 23, 2024 at 11:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 24, 2024 at 9:33 AM
CVSS

A CVSS base score of 8 has been assigned.

Sep 25, 2024 at 1:41 AM / nvd
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

AppSec Ezine #555
URL: https://github.com/m8sec/nullinux Description: Tool for Linux to enumerate OS information through SMB. URL: https://github.com/madneal/gshark Description: OSINT tool to scan for sensitive information easily and effectively.
Another cool blog post by @ sploutchy (Compass Security) "COM Cross-Session Activation" Quick read, and straight to the point. This article provides a real-life example (Google Updater service here) showing one way to exploit a COM class for local privilege escalation on Windows. 👌 👉 https:// blog.compass-security.com/2024 /10/com-cross-session-activation/ # windows # vulnerability # privesc # cve # CVE_2024_7023
COM Cross-Session Activation
If the application identity is set to “The interactive user”, one can use a so-called “session moniker” to activate a COM class in any interactive session on the machine. Launch and Activation permissions : set who can instantiate and interact with COM class objects
COM Cross-Session Activation
If the application identity is set to “The interactive user”, one can use a so-called “session moniker” to activate a COM class in any interactive session on the machine. Launch and Activation permissions : set who can instantiate and interact with COM class objects
COM Cross-Session Activation
If the application identity is set to “The interactive user”, one can use a so-called “session moniker” to activate a COM class in any interactive session on the machine. Launch and Activation permissions : set who can instantiate and interact with COM class objects
See 12 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI