CVE-2019-13738

Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name	Vendor	Start Version	End Version
Chrome	Google	*	79.0.3945.79 (excluding)
Red Hat Enterprise Linux 6 Supplementary	RedHat	chromium-browser-0:79.0.3945.79-1.el6_10	*
Chromium-browser	Ubuntu	bionic	*
Chromium-browser	Ubuntu	devel	*
Chromium-browser	Ubuntu	disco	*
Chromium-browser	Ubuntu	eoan	*
Chromium-browser	Ubuntu	trusty	*
Chromium-browser	Ubuntu	upstream	*
Chromium-browser	Ubuntu	xenial	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/122.html
https://cwe.mitre.org/data/definitions/233.html
https://cwe.mitre.org/data/definitions/58.html

References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html
https://access.redhat.com/errata/RHSA-2019:4238
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
https://crbug.com/1017441
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27
https://security.gentoo.org/glsa/202003-08
https://www.debian.org/security/2020/dsa-4606

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-13738
CWE	https://cwe.mitre.org/data/definitions/269.html

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References