CVE-2017-5042 — Missing Encryption of Sensitive Data in Google Chrome

CWE-311 — Missing Encryption of Sensitive Data6 documents5 sources

Severity

5.7MEDIUMNVD

EPSS

0.0%

top 86.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Debian Linux Redhat Enterprise Linux Desktop +2 more

Timeline

PublishedApr 24

Latest updateApr 30

Description

Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages4 packages

▶NVDgoogle/chrome57.0.2987.75+1

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_workstation6.0

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-9wr7-mfw6-pfpw: Cast in Google Chrome prior to 57↗2022-04-30

▶

OSV

CVE-2017-5042: Cast in Google Chrome prior to 57↗2017-04-24

▶

📋Vendor Advisories

Red Hat

chromium-browser: incorrect handling of cookies in cast↗2017-03-09

▶

💬Community

Bugzilla

CVE-2017-5042 chromium-browser: incorrect handling of cookies in cast↗2017-03-10

▶

Bugzilla

chromium: various flaws [fedora-all]↗2017-03-10

▶