Vulnerability Details : CVE-2013-0927
Google Chrome OS before 26.0.1410.57 relies on a Pango pango-utils.c read_config implementation that loads the contents of the .pangorc file in the user's home directory, and the file referenced by the PANGO_RC_FILE environment variable, which allows attackers to bypass intended access restrictions via crafted configuration data.
Products affected by CVE-2013-0927
- cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.48:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.47:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.46:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.45:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.31:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.30:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.29:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.28:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.14:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.12:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.11:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.10:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.51:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.49:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.44:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.42:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.40:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.35:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.33:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.26:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.24:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.19:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.17:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.15:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.9:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.7:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.55:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.54:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.39:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.38:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.37:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.36:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.23:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.22:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.21:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.20:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.5:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.4:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.3:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.52:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.50:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.43:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.41:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.34:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.32:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.27:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.25:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.18:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.16:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.8:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.6:*:*:*:*:*:*:*
- cpe:2.3:o:google:chrome_os:26.0.1410.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-0927
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-0927
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2013-0927
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-0927
-
http://googlechromereleases.blogspot.com/2013/04/chrome-os-stable-channel-update.html
Chrome Releases: Chrome OS Stable Channel UpdateVendor Advisory
-
https://code.google.com/p/chromium/issues/detail?id=189250
189250 - Security: pango loads config options from $HOME/.pangorc - chromium - Monorail
-
http://git.chromium.org/gitweb/?p=chromiumos/overlays/chromiumos-overlay.git;a=commit;h=fb5a664def6cd34bf7295489ea73e1d989bdd6d0
chromium Git repositories - Git at GooglePatch
Jump to