CVE-2021-38000

Warning

Exploit

EPSS 3.43%
Published 23.11.2021 22:15:07
Last modified 12.03.2025 21:01:06
Source chrome-cve-admin@google.com
Teams watchlist Login
Open Login

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.

Affected products Warnungen 1 Metrics 4 CWE 2 References 7

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Chrome Version < 95.0.4638.69

Google ≫ Android Version-

Fedoraproject ≫ Fedora Version34

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Google Chromium Intents Improper Input Validation Vulnerability

Vulnerability

Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3.43%	0.87

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://www.debian.org/security/2022/dsa-5046

Third Party Advisory

Mailing List

https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/

Release Notes

https://crbug.com/1249962

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2021-38000

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-38000

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-38000

EUVD