CVE-2024-1672: 
vulnerability analysis and mitigation

CVE-2024-1672 is a security vulnerability discovered in Google Chrome's Content Security Policy (CSP) implementation. The vulnerability affects versions prior to 122.0.6261.57 and was reported by Georg Felber and Marco Squarcina from TU Wien on December 19, 2023. The flaw allows a remote attacker to bypass content security policy via a crafted HTML page (Chrome Release).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. However, CISA-ADP assessed it with a higher CVSS score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-474 (Use of Function with Inconsistent Implementations) (NVD).

The vulnerability could allow remote attackers to bypass the Content Security Policy protections, potentially leading to unauthorized access to sensitive information and compromised web security controls. The impact is considered medium to high severity, depending on the assessment source (NVD).

Google has released a fix in Chrome version 122.0.6261.57. Users are advised to update their Chrome browsers to this version or later. The vulnerability has also been addressed in various Linux distributions, including Fedora 38 and 39 (Fedora Update).