CVE-2018-16081

HIGH

Google Chrome < 69.0.3497.81 - Unauthenticated Local File Access via chrome.debugger API

Title source: llm

Description

Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system without file access permission via a crafted Chrome Extension.

References (5)

Core 5

Core References

Issue Tracking x_refsource_misc

https://crbug.com/666299

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105215

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2666

Release Notes, Vendor Advisory x_refsource_confirm

https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201811-10

Scores

CVSS v3 7.4

EPSS 0.0021

EPSS Percentile 42.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Details

CWE

CWE-862

Status published

Products (4)

google/chrome < 69.0.3497.81

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_workstation 6.0

Published Jan 09, 2019

Tracked Since Feb 18, 2026