CVE-2016-5192 — Improper Access Control in Google Chrome

CWE-284 — Improper Access Control CWE-287 — Improper Authentication11 documents7 sources

Severity

6.5MEDIUMNVD

OSV7.5

EPSS

0.2%

top 52.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt Google Chrome

Timeline

PublishedDec 18

Latest updateMay 17

Description

Blink in Google Chrome prior to 54.0.2840.59 for Windows missed a CORS check on redirect in TextTrackLoader, which allowed a remote attacker to bypass cross-origin restrictions via crafted HTML pages.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDgoogle/chrome53.0.2785.143

▶PyPIsaltstack/salt2016.3.0 — 2016.3.5+2

🔴Vulnerability Details

GHSA

SaltStack Salt Authentication Bypass when using the local_batch client from salt-api↗2022-05-17

▶

GHSA

GHSA-5qph-qrqq-9w48: Blink in Google Chrome prior to 54↗2022-05-14

▶

OSV

oxide-qt vulnerabilities↗2016-11-02

▶

OSV

CVE-2016-5192: Blink in Google Chrome prior to 54↗2016-10-17

▶

📋Vendor Advisories

Red Hat

salt: local_batch client external authentication not respected↗2017-01-20

▶

Ubuntu

Oxide vulnerabilities↗2016-11-02

▶

Red Hat

chromium-browser: cross-origin bypass in blink↗2016-10-12

▶

💬Community

Bugzilla

CVE-2017-5192 salt: local_batch client external authentication not respected↗2017-02-01

▶

Bugzilla

CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192 CVE-2016-5193 CVE-2016-5194 chro↗2016-10-13

▶

Bugzilla

CVE-2016-5192 chromium-browser: cross-origin bypass in blink↗2016-10-13

▶