CVE-2021-37980
https://notcve.org/view.php?id=CVE-2021-37980
Inappropriate implementation in Sandbox in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially bypass site isolation via Windows. Una implementación inapropiada de Sandbox en Google Chrome versiones anteriores a 94.0.4606.81, permitía a un atacante remoto omitir potencialmente el aislamiento del sitio por medio de Windows • https://github.com/ZeusBox/CVE-2021-37980 https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html https://crbug.com/1254631 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNARCF5HEZK7GJXZRN5TQ45AQDCRM2WO https://www.debian.org/security/2022/dsa-5046 •
CVE-2021-37979
https://notcve.org/view.php?id=CVE-2021-37979
heap buffer overflow in WebRTC in Google Chrome prior to 94.0.4606.81 allowed a remote attacker who convinced a user to browse to a malicious website to potentially exploit heap corruption via a crafted HTML page. Un desbordamiento del búfer de la pila en WebRTC en Google Chrome versiones anteriores a 94.0.4606.81, permitía a un atacante remoto que convenciera a un usuario de navegar por un sitio web malicioso explotar potencialmente la corrupción de la pila por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html https://crbug.com/1247260 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNARCF5HEZK7GJXZRN5TQ45AQDCRM2WO https://www.debian.org/security/2022/dsa-5046 https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1372 • CWE-787: Out-of-bounds Write •
CVE-2021-37978
https://notcve.org/view.php?id=CVE-2021-37978
Heap buffer overflow in Blink in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Un desbordamiento del búfer de la pila en Blink en Google Chrome versiones anteriores a 94.0.4606.81, permitía a un atacante remoto explotar potencialmente la corrupción de la pila por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html https://crbug.com/1236318 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNARCF5HEZK7GJXZRN5TQ45AQDCRM2WO https://www.debian.org/security/2022/dsa-5046 • CWE-787: Out-of-bounds Write •
CVE-2021-37977
https://notcve.org/view.php?id=CVE-2021-37977
Use after free in Garbage Collection in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Un uso de memoria previamente liberada en Garbage Collection en Google Chrome versiones anteriores a 94.0.4606.81, permitía a un atacante remoto explotar potencialmente la corrupción de la pila por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html https://crbug.com/1252878 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNARCF5HEZK7GJXZRN5TQ45AQDCRM2WO https://www.debian.org/security/2022/dsa-5046 • CWE-416: Use After Free •
CVE-2021-42574 – environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks
https://notcve.org/view.php?id=CVE-2021-42574
An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). • https://github.com/simplylu/CVE-2021-42574 https://github.com/waseeld/CVE-2021-42574 https://github.com/shiomiyan/CVE-2021-42574 http://www.openwall.com/lists/oss-security/2021/11/01/1 http://www.openwall.com/lists/oss-security/2021/11/01/4 http://www.openwall.com/lists/oss-security/2021/11/01/5 http://www.openwall.com/lists/oss-security/2021/11/01/6 http://www.openwall.com/lists/oss-security/2021/11/02/10 http://www.unicode.org/versions/Unicod • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-838: Inappropriate Encoding for Output Context •