Vulnerability CVE-2008-6512


Published: 2009-03-24   Modified: 2012-02-13

Description:
Cross-domain vulnerability in the WorkerPool API in Google Gears before 0.5.4.2 allows remote attackers to bypass the Same Origin Policy and the intended access restrictions of the allowCrossOrigin function by hosting an assumed-safe file type containing Google Gear commands on the target domain, then accessing that file from the attacking domain, whose response headers are not checked and cause the worker code to run in the target domain.

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Google -> Gears 

 References:
http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html
http://code.google.com/apis/gears/upcoming/api_workerpool.html#cross_origin
http://www.securityfocus.com/bid/32698
https://exchange.xforce.ibmcloud.com/vulnerabilities/47173

Copyright 2021, cxsecurity.com

 

Back to Top