Vulnerability Description
The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chrome | <= 48.0.2564.103 | |
| Debian | Debian Linux | 8.0 |
| Opensuse | Opensuse | 13.1 |
Related Weaknesses (CWE)
References
- http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00104.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00119.html
- http://rhn.redhat.com/errata/RHSA-2016-0241.html
- http://www.debian.org/security/2016/dsa-3486
- http://www.securityfocus.com/bid/83125
- http://www.securitytracker.com/id/1035183
- https://code.google.com/p/chromium/issues/detail?id=546677
- https://codereview.chromium.org/1417513003
- https://security.gentoo.org/glsa/201603-09
- http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00104.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00119.html
- http://rhn.redhat.com/errata/RHSA-2016-0241.html
- http://www.debian.org/security/2016/dsa-3486
FAQ
What is CVE-2016-1622?
CVE-2016-1622 is a vulnerability with a CVSS score of 8.8 (HIGH). The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass...
How severe is CVE-2016-1622?
CVE-2016-1622 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-1622?
Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome, Debian Debian Linux, Opensuse Opensuse.