Vulnerability Details : CVE-2014-3172
The Debugger extension API in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 37.0.2062.94 does not validate a tab's URL before an attach operation, which allows remote attackers to bypass intended access limitations via an extension that uses a restricted URL, as demonstrated by a chrome:// URL.
Products affected by CVE-2014-3172
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.20:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.10:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.11:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.19:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.26:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.27:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.33:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.34:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.45:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.46:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.52:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.53:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.60:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.61:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.68:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.69:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.75:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.76:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.90:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.91:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.15:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.16:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.22:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.23:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.30:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.39:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.49:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.56:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.57:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.64:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.65:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.71:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.72:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.80:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.12:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.13:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.14:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.21:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.28:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.29:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.35:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.36:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.37:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.47:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.48:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.54:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.55:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.63:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.70:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.77:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.78:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.92:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.17:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.18:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.24:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.25:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.31:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.32:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.43:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.44:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.50:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.51:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.58:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.59:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.66:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.67:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.73:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.74:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.81:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:37.0.2062.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3172
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3172
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2014-3172
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3172
-
http://www.securityfocus.com/bid/69401
Google Chrome CVE-2014-3172 Unspecified Security Vulnerability
-
http://security.gentoo.org/glsa/glsa-201408-16.xml
Chromium: Multiple vulnerabilities (GLSA 201408-16) — Gentoo security
-
https://src.chromium.org/viewvc/chrome?revision=280354&view=revision
[chrome] Revision 280354Patch
-
http://secunia.com/advisories/60268
Sign in
-
http://www.debian.org/security/2014/dsa-3039
Debian -- Security Information -- DSA-3039-1 chromium-browser
-
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html
Chrome Releases: Stable Channel UpdateVendor Advisory
-
http://secunia.com/advisories/61482
Sign in
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95472
Google Chrome extension debugging unspecified CVE-2014-3172 Vulnerability Report
-
https://crbug.com/367567
367567 - Security: Any extension can debug any other extension (e.g. crosh) - chromium - Monorail
-
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00027.html
[security-announce] openSUSE-SU-2014:1151-1: important: chromium to 37.0
-
http://www.securitytracker.com/id/1030767
Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Information - SecurityTracker
Jump to