{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-100.pdf"
    },
    "title": "High Severity Vulnerability in Google Chrome",
    "serial_number": "2023-100",
    "publish_date": "22-12-2023 10:35:10",
    "description": "On December 20, 2023, Google released an advisory regarding a new high severity vulnerability in its web browser. Google is aware that an exploit for this vulnerability exists in the wild.<br>\nIt is recommended updating as soon as possible.<br>\n",
    "url_title": "2023-100",
    "content_markdown": "---\ntitle: 'High Severity Vulnerability in\u00a0Google\u00a0Chrome'\nnumber: '2023-100'\nversion: '1.1'\noriginal_date: 'December 20, 2023'\ndate: 'December 22, 2023'\n---\n\n_History:_\n\n* _21/12/2023 --- v1.0 -- Initial publication_\n* _22/12/2023 --- v1.1 -- Add affected products_\n\n# Summary\n\nOn December 20, 2023, Google released an advisory regarding a new high severity vulnerability in its web browser [1]. Google is aware that an exploit for this vulnerability exists in the wild.\n\nIt is recommended updating as soon as possible.\n\n# Technical Details\n\nThe vulnerability `CVE-2023-7024` is caused by a heap buffer overflow in the WebRTC component. The flaw was reported by Cl\u00e9ment Lecigne and Vlad Stolyarov of Google\u2019s Threat Analysis Group on 2023-12-19 and fixed in just one day. The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm [2]. Google has not shared further details about the vulnerability, stating that:\n\n>Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.\n\n# Affected Products\n\nThis vulnerability affects Google Chrome versions below 120.0.6099.129 for Mac, Linux, and versions below 120.0.6099.129/130 for Windows.\n\n**[UPDATE]** This vulnerability also affects Chromium-based web browser such as Microsoft Edge [3], Brave, Opera, and Vivaldi.\n\n# Recommendations\n\nIt is recommended updating as soon as possible.\n\n# References\n\n[1] <https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html>\n\n[2] <https://securityaffairs.com/156231/security/google-addressed-a-new-actively-exploited-chrome-zero-day.html>\n\n[3] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-7024>",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/12/2023 --- v1.0 -- Initial publication</em></li><li><em>22/12/2023 --- v1.1 -- Add affected products</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 20, 2023, Google released an advisory regarding a new high severity vulnerability in its web browser [1]. Google is aware that an exploit for this vulnerability exists in the wild.</p><p>It is recommended updating as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2023-7024</code> is caused by a heap buffer overflow in the WebRTC component. The flaw was reported by Cl\u00e9ment Lecigne and Vlad Stolyarov of Google\u2019s Threat Analysis Group on 2023-12-19 and fixed in just one day. The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm [2]. Google has not shared further details about the vulnerability, stating that:</p><blockquote><p>Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.</p></blockquote><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects Google Chrome versions below 120.0.6099.129 for Mac, Linux, and versions below 120.0.6099.129/130 for Windows.</p><p><strong>[UPDATE]</strong> This vulnerability also affects Chromium-based web browser such as Microsoft Edge [3], Brave, Opera, and Vivaldi.</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html\">https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://securityaffairs.com/156231/security/google-addressed-a-new-actively-exploited-chrome-zero-day.html\">https://securityaffairs.com/156231/security/google-addressed-a-new-actively-exploited-chrome-zero-day.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-7024\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-7024</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}