CVE-2008-7294 — Google Chrome vulnerability

CWE-2643 documents3 sources

Severity

5.8MEDIUMNVD

EPSS

0.3%

top 45.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedAug 9

Latest updateMay 17

Description

Google Chrome before 4.0.211.0 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDgoogle/chrome3.0.195.38+58

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-mrmv-jgqh-443q: Google Chrome before 4↗2022-05-17

▶

📄Research Papers

arXiv

The (Un)Reliability of NVD Vulnerable Versions Data: an Empirical Experiment on Google Chrome Vulnerabilities↗2013-02-17

▶