PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
Description
Palo Alto Networks incorporated the following Chromium security fixes into its products:
* https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
* https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html
* https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html
* https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html
CVE | CVSS | Summary |
---|---|---|
CVE-2024-10229 | 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) | Inappropriate implementation in Extensions |
CVE-2024-10230 | 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) | Type Confusion in V8 |
CVE-2024-10231 | 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) | Type Confusion in V8 |
CVE-2024-10487 | Out of bounds write in Dawn | |
CVE-2024-10488 | Use after free in WebRTC | |
CVE-2024-9954 | 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) | Use after free in AI |
CVE-2024-9955 | Use after free in WebAuthentication | |
CVE-2024-9956 | Inappropriate implementation in WebAuthentication | |
CVE-2024-9957 | Use after free in UI | |
CVE-2024-9958 | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) | Inappropriate implementation in PictureInPicture |
CVE-2024-9959 | Use after free in DevTools | |
CVE-2024-9960 | Use after free in Dawn | |
CVE-2024-9961 | Use after free in ParcelTracking | |
CVE-2024-9962 | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) | Inappropriate implementation in Permissions |
CVE-2024-9963 | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) | Insufficient data validation in Downloads |
CVE-2024-9964 | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) | Inappropriate implementation in Payments |
CVE-2024-9965 | 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) | Insufficient data validation in DevTools |
CVE-2024-9966 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) | Inappropriate implementation in Navigations |
CVE-2024-10826 | Use after free in Family Experiences. | |
CVE-2024-10827 | Use after free in Serial. |
Product Status
Versions | Affected | Unaffected |
---|---|---|
Prisma Access Browser | < 130.59.2920.7 | >= 130.117.2920.13 |
Severity: HIGH, Suggested Urgency: MODERATE
CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, and CVE-2024-9966 are fixed in Prisma Access Browser 130.59.2920.7, and all later Prisma Access Browser versions.
CVE-2024-10229, CVE-2024-10230, and CVE-2024-10231 are fixed in Prisma Access Browser 130.70.2920.8, and all later Prisma Access Browser versions.
CVE-2024-10487 and CVE-2024-10488 are fixed in Prisma Access Browser 130.92.2920.10, and all later Prisma Access Browser versions.
CVE-2024-10826 and CVE-2024-10827 are fixed in Prisma Access Browser 130.117.2920.13, and all later Prisma Access Browser versions.