CVE-2016-1617

2016-01-2200:00:00

ubuntu.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.3%

JSON

The CSPSource::schemeMatches function in
WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy
(CSP) implementation in Blink, as used in Google Chrome before
48.0.2564.82, does not apply http policies to https URLs and does not apply
ws policies to wss URLs, which makes it easier for remote attackers to
determine whether a specific HSTS web site has been visited by reading a
CSP report.

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchchromium-browser< 48.0.2564.82-0ubuntu0.14.04.1.1108UNKNOWN
ubuntu15.04noarchchromium-browser< 48.0.2564.82-0ubuntu0.15.04.1.1193UNKNOWN
ubuntu15.10noarchchromium-browser< 48.0.2564.82-0ubuntu0.15.10.1.1219UNKNOWN
ubuntu14.04noarchoxide-qt< 1.12.5-0ubuntu0.14.04.1UNKNOWN
ubuntu15.04noarchoxide-qt< 1.12.5-0ubuntu0.15.04.1UNKNOWN
ubuntu15.10noarchoxide-qt< 1.12.5-0ubuntu0.15.10.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	14.04	noarch	chromium-browser	< 48.0.2564.82-0ubuntu0.14.04.1.1108	UNKNOWN
ubuntu	15.04	noarch	chromium-browser	< 48.0.2564.82-0ubuntu0.15.04.1.1193	UNKNOWN
ubuntu	15.10	noarch	chromium-browser	< 48.0.2564.82-0ubuntu0.15.10.1.1219	UNKNOWN
ubuntu	14.04	noarch	oxide-qt	< 1.12.5-0ubuntu0.14.04.1	UNKNOWN
ubuntu	15.04	noarch	oxide-qt	< 1.12.5-0ubuntu0.15.04.1	UNKNOWN
ubuntu	15.10	noarch	oxide-qt	< 1.12.5-0ubuntu0.15.10.1	UNKNOWN