CVE-2016-1617 : The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP)

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 48.0.2564.82, does not apply http policies to https URLs and does not apply ws policies to wss URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report.

Published 2016-01-25 11:59:06

Updated 2016-12-07 18:33:01

Source Google Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2016-1617

Probability of exploitation activity in the next 30 days: 0.51%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 74 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-1617

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2016-1617

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-1617

https://codereview.chromium.org/1455973003

Issue 1455973003: CSP: Source expressions can no longer lock sites into insecurity. - Code Review
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html

Chrome Releases: Stable Channel Update
Vendor Advisory

CVEs referencing this url
https://code.google.com/p/chromium/issues/detail?id=544765

544765 - Privacy: browser history sniffing attack using HSTS + CSP - chromium - Monorail
http://www.ubuntu.com/usn/USN-2877-1

USN-2877-1: Oxide vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://security.gentoo.org/glsa/201603-09

Chromium: Multiple vulnerabilities (GLSA 201603-09) — Gentoo security

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00046.html

[security-announce] openSUSE-SU-2016:0271-1: important: Security update

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3456

Debian -- Security Information -- DSA-3456-1 chromium-browser

CVEs referencing this url
http://www.securitytracker.com/id/1034801

Google Chrome Multiple Bugs Let Remote Users Obtain Information, Bypass Security Restrictions, Spoof URLs, and Execute Arbitrary Code - SecurityTracker

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00036.html

[security-announce] openSUSE-SU-2016:0250-1: important: Security update

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00035.html

[security-announce] openSUSE-SU-2016:0249-1: important: Security update

CVEs referencing this url
http://www.securityfocus.com/bid/81430

Google Chrome Prior to 48.0.2564.82 Multiple Security Vulnerabilities

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-0072.html

RHSA-2016:0072 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url

Products affected by CVE-2016-1617

Google » Chrome
Versions up to, including, (<=) 47.0.2526.106
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-1617

Exploit prediction scoring system (EPSS) score for CVE-2016-1617

CVSS scores for CVE-2016-1617

CWE ids for CVE-2016-1617

References for CVE-2016-1617

Products affected by CVE-2016-1617