Vulnerability Details : CVE-2014-3166
The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.
Exploit prediction scoring system (EPSS) score for CVE-2014-3166
Probability of exploitation activity in the next 30 days: 0.94%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-3166
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2014-3166
-
http://www.ietf.org/mail-archive/web/tls/current/msg13345.html
ArchiveThird Party Advisory
-
http://security.gentoo.org/glsa/glsa-201408-16.xml
Chromium: Multiple vulnerabilities (GLSA 201408-16) — Gentoo securityThird Party Advisory
-
http://googlechromereleases.blogspot.com/2014/08/chrome-for-android-update.html
Chrome Releases: Chrome for Android UpdateRelease Notes;Vendor Advisory
-
http://www.debian.org/security/2014/dsa-3039
Debian -- Security Information -- DSA-3039-1 chromium-browserThird Party Advisory
-
https://code.google.com/p/chromium/issues/detail?id=398925
398925 - Security: SPDY connection sharing logic errors allows for MITM - chromium - MonorailExploit;Issue Tracking;Mailing List;Vendor Advisory
-
http://secunia.com/advisories/59693
Sign inBroken Link;Third Party Advisory
-
http://secunia.com/advisories/60798
Sign inBroken Link;Third Party Advisory
-
https://src.chromium.org/viewvc/chrome?revision=288435&view=revision
[chrome] Revision 288435Third Party Advisory
-
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html
Chrome Releases: Stable Channel UpdateRelease Notes;Vendor Advisory
-
http://secunia.com/advisories/60685
Sign inBroken Link;Third Party Advisory
-
http://www.securitytracker.com/id/1030732
Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Information - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/69202
Google Chrome CVE-2014-3166 Information Disclosure VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/59904
Sign inBroken Link;Third Party Advisory
-
https://src.chromium.org/viewvc/chrome?revision=286598&view=revision
[chrome] Revision 286598Third Party Advisory
-
http://googlechromereleases.blogspot.com/2014/08/chrome-for-ios-update.html
Chrome Releases: Chrome for iOS UpdateRelease Notes;Vendor Advisory
Products affected by CVE-2014-3166
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*