CVE-2017-5042

LOW

Description

Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent.

References

http://rhn.redhat.com/errata/RHSA-2017-0499.html

http://www.debian.org/security/2017/dsa-3810

http://www.securityfocus.com/bid/96767

https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

https://crbug.com/671932

https://security.gentoo.org/glsa/201704-02

Details

Source: MITRE

Published: 2017-04-24

Updated: 2018-01-05

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 3.3

Vector: (AV:A/AC:L/Au:N/C:P/I:N/A:N)

Impact Score: 2.9

Exploitability Score: 6.5

Severity: LOW

CVSS v3.0

Base Score: 5.7

Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 2.1

Severity: MEDIUM