Vulnerability Details : CVE-2014-3160
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.
Products affected by CVE-2014-3160
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.93:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.92:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.91:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.90:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.76:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.75:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.74:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.73:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.59:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.58:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.57:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.44:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.43:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.42:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.41:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.29:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.28:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.27:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.26:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.14:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.13:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.12:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.105:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.99:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.98:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.85:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.84:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.83:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.82:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.67:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.66:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.65:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.64:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.51:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.50:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.49:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.37:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.36:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.35:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.34:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.33:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.21:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.20:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.19:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.100:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.96:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.87:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.78:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.70:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.68:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.63:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.61:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.55:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.53:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.47:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.45:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.40:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.39:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.32:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.30:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.24:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.22:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.18:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.16:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.104:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.102:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.95:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.88:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.86:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.81:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.77:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.72:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.69:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.60:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.56:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.54:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.52:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.48:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.46:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.38:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.31:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.25:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.23:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.17:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.15:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.103:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.101:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.124:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.122:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:36.0.1985.123:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3160
1.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3160
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2014-3160
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3160
-
http://security.gentoo.org/glsa/glsa-201408-16.xml
Chromium: Multiple vulnerabilities (GLSA 201408-16) — Gentoo security
-
http://www.securityfocus.com/bid/68677
Google Chrome Prior to 36.0.1985.122 Multiple Security Vulnerabilities
-
http://secunia.com/advisories/60061
Sign in
-
http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html
Chrome Releases: Stable Channel UpdateVendor Advisory
-
http://www.debian.org/security/2014/dsa-3039
Debian -- Security Information -- DSA-3039-1 chromium-browser
-
http://secunia.com/advisories/60372
Sign in
-
https://code.google.com/p/chromium/issues/detail?id=380885
380885 - Security: Cache-based SOP-Bypass for Images - chromium - Monorail
-
https://src.chromium.org/viewvc/blink?revision=176084&view=revision
[blink] Revision 176084Patch
Jump to