Lucene search

[email protected]CVE-2016-1617

HistoryJan 25, 2016 - 11:59 a.m.

CVE-2016-1617

2016-01-2511:59:00

CWE-200

[email protected]

web.nvd.nist.gov

csp

google chrome

webkit

hsts

security vulnerability

blink

content security policy

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

5.5 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.3%

JSON

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 48.0.2564.82, does not apply http policies to https URLs and does not apply ws policies to wss URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report.

CPENameOperatorVersion
google:chromegoogle chromele47.0.2526.106

CPE	Name	Operator	Version
google:chrome	google chrome	le	47.0.2526.106

References

googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html

lists.opensuse.org/opensuse-security-announce/2016-01/msg00035.html

lists.opensuse.org/opensuse-security-announce/2016-01/msg00036.html

lists.opensuse.org/opensuse-security-announce/2016-01/msg00046.html

rhn.redhat.com/errata/RHSA-2016-0072.html

www.debian.org/security/2016/dsa-3456

www.securityfocus.com/bid/81430

www.securitytracker.com/id/1034801

www.ubuntu.com/usn/USN-2877-1

code.google.com/p/chromium/issues/detail?id=544765

codereview.chromium.org/1455973003

security.gentoo.org/glsa/201603-09

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

5.5 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.3%

JSON

Related for CVE-2016-1617

prion2 ubuntucve2 debiancve2 redhatcve1 cve1 nessus10 ubuntu1 openvas10 suse3 archlinux1 freebsd1 mageia2 chrome1 debian2 osv1 kaspersky1 redhat1 gentoo1