gsd - gsd-2016-1622

gsd-2016-1622

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.

Aliases

CVE-2016-1622

Aliases

CVE-2016-1622

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-1622",
    "description": "The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.",
    "id": "GSD-2016-1622",
    "references": [
      "https://www.suse.com/security/cve/CVE-2016-1622.html",
      "https://www.debian.org/security/2016/dsa-3486",
      "https://access.redhat.com/errata/RHSA-2016:0241",
      "https://advisories.mageia.org/CVE-2016-1622.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-1622"
      ],
      "details": "The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.",
      "id": "GSD-2016-1622",
      "modified": "2023-12-13T01:21:24.161458Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@google.com",
        "ID": "CVE-2016-1622",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "83125",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/83125"
          },
          {
            "name": "1035183",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1035183"
          },
          {
            "name": "https://code.google.com/p/chromium/issues/detail?id=546677",
            "refsource": "CONFIRM",
            "url": "https://code.google.com/p/chromium/issues/detail?id=546677"
          },
          {
            "name": "http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html",
            "refsource": "CONFIRM",
            "url": "http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html"
          },
          {
            "name": "GLSA-201603-09",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/201603-09"
          },
          {
            "name": "openSUSE-SU-2016:0491",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00104.html"
          },
          {
            "name": "openSUSE-SU-2016:0518",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00119.html"
          },
          {
            "name": "DSA-3486",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2016/dsa-3486"
          },
          {
            "name": "RHSA-2016:0241",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0241.html"
          },
          {
            "name": "https://codereview.chromium.org/1417513003",
            "refsource": "CONFIRM",
            "url": "https://codereview.chromium.org/1417513003"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "48.0.2564.103",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2016-1622"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://codereview.chromium.org/1417513003",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://codereview.chromium.org/1417513003"
            },
            {
              "name": "https://code.google.com/p/chromium/issues/detail?id=546677",
              "refsource": "CONFIRM",
              "tags": [
                "Permissions Required"
              ],
              "url": "https://code.google.com/p/chromium/issues/detail?id=546677"
            },
            {
              "name": "http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html"
            },
            {
              "name": "openSUSE-SU-2016:0518",
              "refsource": "SUSE",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00119.html"
            },
            {
              "name": "DSA-3486",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.debian.org/security/2016/dsa-3486"
            },
            {
              "name": "83125",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/83125"
            },
            {
              "name": "RHSA-2016:0241",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0241.html"
            },
            {
              "name": "GLSA-201603-09",
              "refsource": "GENTOO",
              "tags": [],
              "url": "https://security.gentoo.org/glsa/201603-09"
            },
            {
              "name": "1035183",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1035183"
            },
            {
              "name": "openSUSE-SU-2016:0491",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00104.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-10-30T16:27Z",
      "publishedDate": "2016-02-14T02:59Z"
    }
  }
}

CVE-2016-1622 (GCVE-0-2016-1622)

Vulnerability from cvelistv5

Published

2016-02-14 02:00

Modified

2024-08-05 23:02

Severity ?

CWE

Summary

References

►

URL

Tags

	http://www.securityfocus.com/bid/83125	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1035183	vdb-entry, x_refsource_SECTRACK
	https://code.google.com/p/chromium/issues/detail?id=546677	x_refsource_CONFIRM
	http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/201603-09	vendor-advisory, x_refsource_GENTOO
	http://lists.opensuse.org/opensuse-updates/2016-02/msg00104.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-updates/2016-02/msg00119.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2016/dsa-3486	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-0241.html	vendor-advisory, x_refsource_REDHAT
	https://codereview.chromium.org/1417513003	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website