Vulnerability Details : CVE-2017-1000025
GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 before 3.20.7, 3.18 before 3.18.11, and prior versions, is vulnerable to a password manager sweep attack resulting in the remote exfiltration of stored passwords for a selected set of websites.
Vulnerability category: Information leak
Products affected by CVE-2017-1000025
- cpe:2.3:a:gnome:epiphany:3.23.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.22.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.22.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.22.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.23.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.23.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.23.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.23.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.18.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.22.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.22.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:epiphany:3.23.1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1000025
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-1000025
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-1000025
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1000025
-
https://bugzilla.gnome.org/show_bug.cgi?id=752738
Bug 752738 – (CVE-2017-1000025) Password manager allows HTTP sites to access passwords saved on HTTPS sitesIssue Tracking;Vendor Advisory
-
https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver
Password Managers: Attacks and Defenses | USENIXTechnical Description;Third Party Advisory
Jump to