Lucene search

[email protected]CVE-2015-1269

HistoryJun 26, 2015 - 2:59 p.m.

CVE-2015-1269

2015-06-2614:59:00

CWE-254

[email protected]

web.nvd.nist.gov

cve-2015-1269

google chrome

dns hostnames

hsts

hpkp

access restrictions

remote attackers

8.8 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.7%

JSON

The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome before 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote attackers to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase.

CPENameOperatorVersion
google:chromegoogle chromele43.0.2357.81

CPE	Name	Operator	Version
google:chrome	google chrome	le	43.0.2357.81

References

googlechromereleases.blogspot.com/2015/06/chrome-stable-update.html

lists.opensuse.org/opensuse-updates/2015-06/msg00057.html

lists.opensuse.org/opensuse-updates/2015-11/msg00012.html

rhn.redhat.com/errata/RHSA-2015-1188.html

www.debian.org/security/2015/dsa-3315

www.securityfocus.com/bid/75336

www.securitytracker.com/id/1032731

www.ubuntu.com/usn/USN-2652-1

code.google.com/p/chromium/issues/detail?id=461481

codereview.chromium.org/1149753002

security.gentoo.org/glsa/201507-18

8.8 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.7%

JSON

Related for CVE-2015-1269

debiancve1 prion1 ubuntucve1 gentoo1 ubuntu1 openvas8 nessus10 freebsd1 mageia1 threatpost1 kaspersky1 redhat1 chrome1 debian2 securityvulns2 osv1