CVE-2014-3166

high

Description

The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.

References

https://src.chromium.org/viewvc/chrome?revision=288435&view=revision

https://src.chromium.org/viewvc/chrome?revision=286598&view=revision

https://code.google.com/p/chromium/issues/detail?id=398925

http://www.securitytracker.com/id/1030732

http://www.securityfocus.com/bid/69202

http://www.ietf.org/mail-archive/web/tls/current/msg13345.html

http://www.debian.org/security/2014/dsa-3039

http://security.gentoo.org/glsa/glsa-201408-16.xml

http://secunia.com/advisories/60798

http://secunia.com/advisories/60685

http://secunia.com/advisories/59904

http://secunia.com/advisories/59693

http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html

http://googlechromereleases.blogspot.com/2014/08/chrome-for-ios-update.html

http://googlechromereleases.blogspot.com/2014/08/chrome-for-android-update.html

Details

Source: Mitre, NVD

Published: 2014-08-13

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High