CVE-2015-6785

2015-12-0500:00:00

ubuntu.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.3%

JSON

The CSPSource::hostMatches function in
WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy
(CSP) implementation in Google Chrome before 47.0.2526.73 accepts an x.y
hostname as a match for a *.x.y pattern, which might allow remote attackers
to bypass intended access restrictions in opportunistic circumstances by
leveraging a policy that was intended to be specific to subdomains.

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchchromium-browser< 47.0.2526.73-0ubuntu0.14.04.1.1106UNKNOWN
ubuntu15.04noarchchromium-browser< 47.0.2526.73-0ubuntu0.15.04.1.1190UNKNOWN
ubuntu15.10noarchchromium-browser< 47.0.2526.73-0ubuntu0.15.10.1.1215UNKNOWN
ubuntu14.04noarchoxide-qt< 1.11.3-0ubuntu0.14.04.1UNKNOWN
ubuntu15.04noarchoxide-qt< 1.11.3-0ubuntu0.15.04.1UNKNOWN
ubuntu15.10noarchoxide-qt< 1.11.3-0ubuntu0.15.10.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	14.04	noarch	chromium-browser	< 47.0.2526.73-0ubuntu0.14.04.1.1106	UNKNOWN
ubuntu	15.04	noarch	chromium-browser	< 47.0.2526.73-0ubuntu0.15.04.1.1190	UNKNOWN
ubuntu	15.10	noarch	chromium-browser	< 47.0.2526.73-0ubuntu0.15.10.1.1215	UNKNOWN
ubuntu	14.04	noarch	oxide-qt	< 1.11.3-0ubuntu0.14.04.1	UNKNOWN
ubuntu	15.04	noarch	oxide-qt	< 1.11.3-0ubuntu0.15.04.1	UNKNOWN
ubuntu	15.10	noarch	oxide-qt	< 1.11.3-0ubuntu0.15.10.1	UNKNOWN