Content Security Policy Bypass in Google Chrome
CVE-2017-5118

4.3MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 61.0.3163.79 For Mac, Windows And Linux, And 61.0.3163.81 For Android
Vendor
CVE Published:
27 October 2017

Summary

A vulnerability was identified in Google Chrome's Blink engine, which failed to correctly enforce Content Security Policy (CSP) restrictions on JavaScript scheme pages. This flaw allowed remote attackers to exploit the weakness using specially crafted HTML pages, potentially enabling unauthorized access to sensitive resources and data. Users are urged to upgrade to the latest version of Google Chrome to mitigate the risk associated with this issue.

Affected Version(s)

Google Chrome prior to 61.0.3163.79 for Mac, Windows and Linux, and 61.0.3163.81 for Android Google Chrome prior to 61.0.3163.79 for Mac, Windows and Linux, and 61.0.3163.81 for Android

References

https://crbug.com/747847
x_refsource_MISC
https://security.gentoo.org/glsa/201709-15
vendor-advisoryx_refsource_GENTOO
https://access.redhat.com/errata/RHSA-2017:2676
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.