CVE-2014-3160

2014-07-2011:12:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2014-3160

resourcefetcher

canrequest

blink

google chrome

same origin policy

svg

nvd

5.8 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.014 Low

EPSS

Percentile

86.0%

JSON

The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.

CPENameOperatorVersion
debian:debian_linuxdebian debian linuxeq8.0
debian:debian_linuxdebian debian linuxeq7.0
google:chromegoogle chromeeq36.0.1985.2
google:chromegoogle chromeeq36.0.1985.24
google:chromegoogle chromeeq36.0.1985.15
google:chromegoogle chromeeq36.0.1985.92
google:chromegoogle chromeeq36.0.1985.69
google:chromegoogle chromeeq36.0.1985.49
google:chromegoogle chromeeq36.0.1985.79
google:chromegoogle chromeeq36.0.1985.103

CPE	Name	Operator	Version
debian:debian_linux	debian debian linux	eq	8.0
debian:debian_linux	debian debian linux	eq	7.0
google:chrome	google chrome	eq	36.0.1985.2
google:chrome	google chrome	eq	36.0.1985.24
google:chrome	google chrome	eq	36.0.1985.15
google:chrome	google chrome	eq	36.0.1985.92
google:chrome	google chrome	eq	36.0.1985.69
google:chrome	google chrome	eq	36.0.1985.49
google:chrome	google chrome	eq	36.0.1985.79
google:chrome	google chrome	eq	36.0.1985.103