CVE-2016-1696

CWE-254 CWE-284 — Improper Access Control7 documents6 sources

Severity

8.8HIGH

EPSS

1.5%

top 19.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Debian Debian Linux Opensuse Leap +5 more

Timeline

PublishedJun 5

Latest updateMay 14

Description

The extensions subsystem in Google Chrome before 51.0.2704.79 does not properly restrict bindings access, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages7 packages

▶NVDgoogle/chrome51.0.2704.63

▶Ubuntuchromium-browser< 51.0.2704.79-0ubuntu0.14.04.1.1121+1

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.2

▶NVDredhat/enterprise_linux_server6.0

Also affects: Debian Linux 8.0, Linux Enterprise 12.0

🔴Vulnerability Details

GHSA

GHSA-3r8m-9qvw-p5fw: The extensions subsystem in Google Chrome before 51↗2022-05-14

▶

OSV

CVE-2016-1696: The extensions subsystem in Google Chrome before 51↗2016-06-05

▶

CVEList

CVE-2016-1696: The extensions subsystem in Google Chrome before 51↗2016-06-05

▶

📋Vendor Advisories

Red Hat

chromium-browser: cross-origin bypass in extension bindings↗2016-06-01

▶

💬Community

Bugzilla

CVE-2016-1696 chromium-browser: cross-origin bypass in extension bindings↗2016-06-02

▶

Bugzilla

CVE-2016-2116 jasper: memory leak in jas_iccprof_createfrombuf()↗2016-03-03

▶