Vulnerability CVE-2016-1677


Published: 2016-06-05   Modified: 2016-06-06

Description:
uri.js in Google V8 before 5.1.281.26, as used in Google Chrome before 51.0.2704.63, uses an incorrect array type, which allows remote attackers to obtain sensitive information by calling the decodeURI function and leveraging "type confusion."

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
SUSE -> Linux enterprise 
Redhat -> Enterprise linux desktop 
Redhat -> Enterprise linux server 
Redhat -> Enterprise linux workstation 
Opensuse -> LEAP 
Opensuse -> Opensuse 
Novell -> LEAP 
Novell -> Opensuse 
Google -> Chrome 
Google -> V8 
Debian -> Debian linux 
Canonical -> Ubuntu linux 

 References:
http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00062.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00063.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00005.html
http://www.debian.org/security/2016/dsa-3590
http://www.securityfocus.com/bid/90876
http://www.securitytracker.com/id/1035981
http://www.ubuntu.com/usn/USN-2992-1
https://access.redhat.com/errata/RHSA-2016:1190
https://codereview.chromium.org/1936083002
https://crbug.com/602970
https://security.gentoo.org/glsa/201607-07

Copyright 2024, cxsecurity.com

 

Back to Top