CVE-2019-13741 – This vulnerability in Google Chrome's Blink ren... (How to Fix)

Q: What is the severity of CVE-2019-13741?

CVE-2019-13741 has a CVSS score of 8.8 (HIGH). This vulnerability in Google Chrome's Blink rendering engine allows a local attacker to bypass same-origin policy restrictions via malicious clipboard content. Attackers could potentially read sensitive data from other websites or perform unauthorized actions. Users of affected Chrome versions are at risk.

📋 TL;DR

This vulnerability in Google Chrome's Blink rendering engine allows a local attacker to bypass same-origin policy restrictions via malicious clipboard content. Attackers could potentially read sensitive data from other websites or perform unauthorized actions. Users of affected Chrome versions are at risk.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Versions prior to 79.0.3945.79

Operating Systems: Windows, macOS, Linux, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Chrome versions are vulnerable. Other Chromium-based browsers may also be affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal sensitive data (passwords, session tokens, personal information) from other websites the user has open, potentially leading to account takeover and data breaches.

🟠

Likely Case

Attackers could read limited data from other websites via clipboard manipulation, potentially capturing copied text or form data.

🟢

If Mitigated

With proper browser isolation and updated software, impact is minimal as the vulnerability requires local access and specific conditions.

🌐 Internet-Facing: LOW - This is primarily a client-side vulnerability requiring local access or user interaction.

🏢 Internal Only: MEDIUM - Internal users could potentially exploit this against other internal web applications if they have local access to target systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and user interaction (clipboard manipulation). No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 79.0.3945.79 and later

Vendor Advisory: https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome settings 2. Click 'About Chrome' 3. Allow Chrome to update automatically 4. Restart Chrome when prompted

🔧 Temporary Workarounds

Disable clipboard access

all

Restrict websites from accessing clipboard via browser settings or extensions

Use browser isolation

all

Run Chrome in sandboxed environment or use separate browser profiles for sensitive sites

🧯 If You Can't Patch

Implement application-level controls to prevent sensitive data exposure via client-side scripts
Use browser extensions that block clipboard access or enforce stricter same-origin policies

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in settings. If version is below 79.0.3945.79, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' on Linux

Verify Fix Applied:

Confirm Chrome version is 79.0.3945.79 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual clipboard access patterns in browser logs
Cross-origin resource access attempts

Network Indicators:

Unexpected cross-origin requests from browser sessions

SIEM Query:

Browser logs showing clipboard API calls across different origins within short timeframes

📊 Metadata

CVE ID: CVE-2019-13741

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: December 10, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html Broken Link
https://access.redhat.com/errata/RHSA-2019:4238 Third Party Advisory
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1011950 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4606 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html Broken Link
https://access.redhat.com/errata/RHSA-2019:4238 Third Party Advisory
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1011950 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4606 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13741, you might also want to check these: