CVE-2016-2845 — Vulnetix

Try Vulnetix Request Demo

CVE-2016-2845 PUBLISHED

The Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 49.0.2623.75, does not ignore a URL's path component in the case of a ServiceWorker fetch, which allows remote attackers to obtain sensitive information about visited web pages by reading CSP violation reports, related to FrameFetchContext.cpp and ResourceFetcher.cpp.

EPSS 0.65% · 70.6th percentile

Risk Scores

EPSS Score

0.65%

70.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	chromium-browser	0, 29.0.1547.65-0ubuntu2, 31.0.1650.63-0ubuntu1~20131204.1
Ubuntu:14.04:LTS	oxide-qt	0, 1.0.0~bzr437-0ubuntu1, 1.0.0~bzr452-0ubuntu1

Timeline

Mar 5, 2016 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2016-2845 third-party-advisory
https://codereview.chromium.org/1454003003/ third-party-advisory
https://code.google.com/p/chromium/issues/detail?id=591402 third-party-advisory
https://bugs.chromium.org/p/chromium/issues/detail?id=542060 third-party-advisory
http://homakov.blogspot.com/2014/01/using-content-security-policy-for-evil.html third-party-advisory
http://googlechromereleases.blogspot.com/2016/03/stable-channel-update.html third-party-advisory
https://ubuntu.com/security/notices/USN-2920-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2016-2845 third-party-advisory

Open in Interactive Console →