Vulnerability Details : CVE-2014-3166
Potential exploit
The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.
Products affected by CVE-2014-3166
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3166
0.94%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3166
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2014-3166
-
http://www.ietf.org/mail-archive/web/tls/current/msg13345.html
ArchiveThird Party Advisory
-
http://security.gentoo.org/glsa/glsa-201408-16.xml
Chromium: Multiple vulnerabilities (GLSA 201408-16) — Gentoo securityThird Party Advisory
-
http://googlechromereleases.blogspot.com/2014/08/chrome-for-android-update.html
Chrome Releases: Chrome for Android UpdateRelease Notes;Vendor Advisory
-
http://www.debian.org/security/2014/dsa-3039
Debian -- Security Information -- DSA-3039-1 chromium-browserThird Party Advisory
-
https://code.google.com/p/chromium/issues/detail?id=398925
398925 - Security: SPDY connection sharing logic errors allows for MITM - chromium - MonorailExploit;Issue Tracking;Mailing List;Vendor Advisory
-
http://secunia.com/advisories/59693
Sign inBroken Link;Third Party Advisory
-
http://secunia.com/advisories/60798
Sign inBroken Link;Third Party Advisory
-
https://src.chromium.org/viewvc/chrome?revision=288435&view=revision
[chrome] Revision 288435Third Party Advisory
-
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html
Chrome Releases: Stable Channel UpdateRelease Notes;Vendor Advisory
-
http://secunia.com/advisories/60685
Sign inBroken Link;Third Party Advisory
-
http://www.securitytracker.com/id/1030732
Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Information - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/69202
Google Chrome CVE-2014-3166 Information Disclosure VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/59904
Sign inBroken Link;Third Party Advisory
-
https://src.chromium.org/viewvc/chrome?revision=286598&view=revision
[chrome] Revision 286598Third Party Advisory
-
http://googlechromereleases.blogspot.com/2014/08/chrome-for-ios-update.html
Chrome Releases: Chrome for iOS UpdateRelease Notes;Vendor Advisory
Jump to