CVE-2015-6785 — Google Chrome vulnerability

CWE-2647 documents6 sources

Severity

4.3MEDIUMNVD

OSV10.0

EPSS

0.8%

top 26.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedDec 6

Latest updateMay 17

Description

The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts an x.y hostname as a match for a *.x.y pattern, which might allow remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging a policy that was intended to be specific to subdomains.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDgoogle/chrome46.0.2490.86

🔴Vulnerability Details

GHSA

GHSA-hqg9-cpw9-mw7g: The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource↗2022-05-17

▶

OSV

oxide-qt vulnerabilities↗2015-12-10

▶

OSV

CVE-2015-6785: The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource↗2015-12-05

▶

📋Vendor Advisories

Ubuntu

Oxide vulnerabilities↗2015-12-10

▶

Red Hat

chromium-browser: Wildcard matching issue in CSP↗2015-12-01

▶

💬Community

Bugzilla

CVE-2015-6785 chromium-browser: Wildcard matching issue in CSP↗2015-12-02

▶