Timing Attack in SVG Rendering of Google Chrome
CVE-2017-5107

5.3MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 60.0.3112.78 For Linux, Windows And Mac
Vendor
CVE Published:
27 October 2017

Summary

A timing attack vulnerability was discovered in the SVG rendering process of Google Chrome that affects multiple platforms, including Linux, Windows, and Mac. This vulnerability enables remote attackers to exploit a flaw when a page is rendered within an iframe on a cross-origin site, potentially allowing them to extract pixel values from the rendered content. Such an attack can compromise the confidentiality of user data and content across sites.

Affected Version(s)

Google Chrome prior to 60.0.3112.78 for Linux, Windows and Mac Google Chrome prior to 60.0.3112.78 for Linux, Windows and Mac

References

https://security.gentoo.org/glsa/201709-15
vendor-advisoryx_refsource_GENTOO
http://www.debian.org/security/2017/dsa-3926
vendor-advisoryx_refsource_DEBIAN
https://crbug.com/686253
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.