Vulnerability Description
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Chrome | 36.0.1985.1 |
Related Weaknesses (CWE)
References
- http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html
- http://secunia.com/advisories/60061
- http://secunia.com/advisories/60372
- http://security.gentoo.org/glsa/glsa-201408-16.xml
- http://www.debian.org/security/2014/dsa-3039
- http://www.securityfocus.com/bid/68677
- https://code.google.com/p/chromium/issues/detail?id=380885
- https://src.chromium.org/viewvc/blink?revision=176084&view=revision
- http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html
- http://secunia.com/advisories/60061
- http://secunia.com/advisories/60372
- http://security.gentoo.org/glsa/glsa-201408-16.xml
- http://www.debian.org/security/2014/dsa-3039
- http://www.securityfocus.com/bid/68677
- https://code.google.com/p/chromium/issues/detail?id=380885
FAQ
What is CVE-2014-3160?
CVE-2014-3160 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG ...
How severe is CVE-2014-3160?
CVE-2014-3160 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3160?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Google Chrome.