CVE-2017-5120

6.5MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 61.0.3163.79 For Mac, Windows And Linux, And 61.0.3163.81 For Android
Vendor
CVE Published:
27 October 2017

Summary

Inappropriate use of www mismatch redirects in browser navigation in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to potentially downgrade HTTPS requests to HTTP via a crafted HTML page. In other words, Chrome could transmit cleartext even though the user had entered an https URL, because of a misdesigned workaround for cases where the domain name in a URL almost matches the domain name in an X.509 server certificate (but differs in the initial "www." substring).

Affected Version(s)

Google Chrome prior to 61.0.3163.79 for Mac, Windows and Linux, and 61.0.3163.81 for Android Google Chrome prior to 61.0.3163.79 for Mac, Windows and Linux, and 61.0.3163.81 for Android

References

https://crbug.com/718676
x_refsource_MISC
https://security.gentoo.org/glsa/201709-15
vendor-advisoryx_refsource_GENTOO
https://access.redhat.com/errata/RHSA-2017:2676
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.