Inadequate Redirect Handling in Google Chrome Affects Multiple Platforms
CVE-2017-5120

6.5MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 61.0.3163.79 For Mac, Windows And Linux, And 61.0.3163.81 For Android
Vendor
CVE Published:
27 October 2017

Summary

The vulnerability arises from a flaw in the handling of www mismatch redirects during browser navigation in Google Chrome versions prior to 61.0.3163.79 for desktop platforms and prior to 61.0.3163.81 for Android. This misimplementation allows an attacker to potentially downgrade secure HTTPS requests to insecure HTTP by leveraging crafted HTML pages. Consequently, even if a user enters an https URL, the browser may transmit sensitive information in cleartext due to unintended behavior with domain name comparisons against X.509 server certificates.

Affected Version(s)

Google Chrome prior to 61.0.3163.79 for Mac, Windows and Linux, and 61.0.3163.81 for Android Google Chrome prior to 61.0.3163.79 for Mac, Windows and Linux, and 61.0.3163.81 for Android

References

https://crbug.com/718676
x_refsource_MISC
https://security.gentoo.org/glsa/201709-15
vendor-advisoryx_refsource_GENTOO
https://access.redhat.com/errata/RHSA-2017:2676
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.