CVE-2017-5033 — Improper Preservation of Permissions in Google Chrome

CWE-281 — Improper Preservation of Permissions10 documents7 sources

Severity

4.3MEDIUMNVD

OSV8.8

EPSS

0.6%

top 30.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Debian Linux Redhat Enterprise Linux Desktop +2 more

Timeline

PublishedApr 24

Latest updateApr 30

Description

Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDgoogle/chrome57.0.2987.75+1

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_workstation6.0

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-q3xm-785w-f7gp: Blink in Google Chrome prior to 57↗2022-04-30

▶

OSV

oxide-qt vulnerabilities↗2017-03-29

▶

OSV

CVE-2017-5033: Blink in Google Chrome prior to 57↗2017-03-10

▶

📋Vendor Advisories

Ubuntu

Oxide vulnerabilities↗2017-03-29

▶

Red Hat

chromium-browser: bypass of content security policy in blink↗2017-03-09

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Content Security Policy bypass in Microsoft Edge, Google Chrome and Apple Safari↗2017-09-06

▶

Talos

Vulnerability Spotlight: Content Security Policy bypass in Microsoft Edge, Google Chrome and Apple Safari↗2017-09-06

▶

💬Community

Bugzilla

chromium: various flaws [fedora-all]↗2017-03-10

▶

Bugzilla

CVE-2017-5033 chromium-browser: bypass of content security policy in blink↗2017-03-10

▶