Vulnerability Details : CVE-2022-2856

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.

Vulnerability category: Input validation

Published 2022-09-26 16:15:11

Updated 2022-10-27 19:01:15

Source Chrome

View at NVD, CVE.org

CVE-2022-2856 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Google Chrome Intents Insufficient Input Validation Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available.

Notes:

https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html

Added on 2022-08-18 Action due date 2022-09-08

Exploit prediction scoring system (EPSS) score for CVE-2022-2856

Probability of exploitation activity in the next 30 days: 0.17%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-2856

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2022-2856

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: [email protected] (Primary)

References for CVE-2022-2856

https://crbug.com/1345630

Permissions Required;Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/

Mailing List;Third Party Advisory

CVEs referencing this url
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html

Patch;Release Notes;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2022-2856

Google » Chrome
Versions before (<) 104.0.5112.101
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
When used together with: Google » Android » Version: N/A
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions