CVE-2017-5042 : Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0

Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent.

Published 2017-04-24 23:59:01

Updated 2022-04-22 20:28:54

Source Google Inc.

View at NVD, CVE.org

Products affected by CVE-2017-5042

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Google » Chrome
Versions up to, including, (<=) 57.0.2987.75
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
Google » Chrome
Versions up to, including, (<=) 57.0.2987.100
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
When used together with: Google » Android » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2017-5042

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-5042

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	AV:A/AC:L/Au:N/C:P/I:N/A:N	6.5	2.9	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.7	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.1	3.6	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-5042

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-5042

https://security.gentoo.org/glsa/201704-02

Chromium: Multiple vulnerabilities (GLSA 201704-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://www.debian.org/security/2017/dsa-3810

Debian -- Security Information -- DSA-3810-1 chromium-browser
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0499.html

RHSA-2017:0499 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

Chrome Releases: Stable Channel Update for Desktop
Vendor Advisory

CVEs referencing this url
https://crbug.com/671932

671932 - Security: non-interactive request forcing - chromium - Monorail
Issue Tracking;Patch;Vendor Advisory
http://www.securityfocus.com/bid/96767

Google Chrome Prior to 57.0.2987.98 Multiple Security Vulnerabilities
Broken Link

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-5042

Products affected by CVE-2017-5042

Exploit prediction scoring system (EPSS) score for CVE-2017-5042

CVSS scores for CVE-2017-5042

CWE ids for CVE-2017-5042

References for CVE-2017-5042