CVE-2014-7939 : Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enable

Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header.

Published 2015-01-22 22:59:20

Updated 2025-04-12 10:46:41

Source Chrome

View at NVD, CVE.org

Products affected by CVE-2014-7939

Redhat » Enterprise Linux Desktop Supplementary » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop_supplementary:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Supplementary » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server_supplementary:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation Supplementary » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation_supplementary:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Supplementary Eus » Version: 6.6.z
cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.6.z:*:*:*:*:*:*:*
Matching versions
Google » Chrome
Versions up to, including, (<=) 40.0.2214.85
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions
Chromium » Chromium » Version: 40.0.2214.110
cpe:2.3:a:chromium:chromium:40.0.2214.110:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-7939

EPSS FAQ

0.76%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 71 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-7939

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-7939

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7939

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html

[security-announce] openSUSE-SU-2015:0441-1: important: Security update

CVEs referencing this url
http://secunia.com/advisories/62665

Sign in

CVEs referencing this url
http://www.securitytracker.com/id/1031623

Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Deny Service - SecurityTracker

CVEs referencing this url
http://www.securityfocus.com/bid/72288

Google Chrome 40.0.2214.91 Multiple Security Vulnerabilities

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-0093.html

RHSA-2015:0093 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://code.google.com/p/chromium/issues/detail?id=399951

399951 - Security: Cross-origin information leak via ECMAScript harmony proxies - chromium - Monorail
http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Chrome Releases: Stable Channel Update

CVEs referencing this url
http://secunia.com/advisories/62383

Sign in

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-201502-13.xml

Chromium: Multiple vulnerabilities (GLSA 201502-13) — Gentoo security

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-7939

Products affected by CVE-2014-7939

Exploit prediction scoring system (EPSS) score for CVE-2014-7939

CVSS scores for CVE-2014-7939

CWE ids for CVE-2014-7939

References for CVE-2014-7939