CVE-2017-5033

Published: Apr 24, 2017Modified: May 13, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.

Affected (7)

Products: Google: Chrome · Debian: Debian Linux · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation

1 product

1 product

3 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Configuration A

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Google Chrome	Up to 57.0.2987.75

Running on/with	Platform Versions
Apple Macos	All versions
Linux Linux Kernel	All versions
Microsoft Windows	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Chrome	Up to 57.0.2987.100

Running on/with	Platform Versions
Google Android	All versions

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Workstation	Version 6.0

Related CWEs

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References (14)

http://rhn.redhat.com/errata/RHSA-2017-0499.html

Source: chrome-cve-admin@google.com

http://www.debian.org/security/2017/dsa-3810

Source: chrome-cve-admin@google.com

http://www.securityfocus.com/bid/96767

Source: chrome-cve-admin@google.com

https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

Source: chrome-cve-admin@google.com

https://crbug.com/669086

Source: chrome-cve-admin@google.com

https://security.gentoo.org/glsa/201704-02

Source: chrome-cve-admin@google.com

https://twitter.com/Ma7h1as/status/907641276434063361

Source: chrome-cve-admin@google.com

http://rhn.redhat.com/errata/RHSA-2017-0499.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2017/dsa-3810

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/96767

Source: af854a3a-2127-422b-91ae-364da2661108

https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://crbug.com/669086

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201704-02

Source: af854a3a-2127-422b-91ae-364da2661108

https://twitter.com/Ma7h1as/status/907641276434063361

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.