CVE-2021-38000
Published: 23 November 2021
Summary
CVE-2021-38000 is a medium-severity Open Redirect (CWE-601) vulnerability in Debian Debian Linux. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2021-38000 stems from insufficient validation of untrusted input in Intents in Google Chrome on Android prior to version 95.0.4638.69. It is tracked under CWE-601 and CWE-20 and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, no required privileges, required user interaction, and changed scope with limited confidentiality and integrity impact.
A remote attacker can exploit the flaw by serving a crafted HTML page that triggers an arbitrary redirect of the victim's browser to a malicious URL. The attack succeeds without further privileges once the page is rendered, allowing the adversary to direct users to attacker-controlled destinations.
Chrome release notes and distribution advisories state that the issue is resolved by updating to Chrome 95.0.4638.69 or later; Fedora and Debian have issued corresponding package updates to enforce the patched version. No information on observed in-the-wild exploitation is supplied in the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-24473
Vulnerability details
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input to block the crafted Intent/URL that triggers the open redirect.
Mandates timely application of the Chrome 95.0.4638.69 patch that eliminates the insufficient validation flaw.
Enforces information-flow rules that can restrict unauthorized URL redirects originating from untrusted web content.