CVE-2017-5118

Published: Oct 27, 2017Modified: May 13, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page.

Affected (7)

Products: Google: Chrome · Debian: Debian Linux · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation

1 product

1 product

3 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Configuration A

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Google Chrome	Before 61.0.3163.79

Running on/with	Platform Versions
Apple Macos	All versions
Linux Linux Kernel	All versions
Microsoft Windows	All versions

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Chrome	Before 61.0.3163.81

Running on/with	Platform Versions
Google Android	All versions

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Workstation	Version 6.0

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (14)

http://www.debian.org/security/2017/dsa-3985

Source: chrome-cve-admin@google.com

http://www.securityfocus.com/bid/100610

Source: chrome-cve-admin@google.com

http://www.securitytracker.com/id/1039291

Source: chrome-cve-admin@google.com

https://access.redhat.com/errata/RHSA-2017:2676

Source: chrome-cve-admin@google.com

https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop.html

Source: chrome-cve-admin@google.com

https://crbug.com/747847

Source: chrome-cve-admin@google.com

https://security.gentoo.org/glsa/201709-15

Source: chrome-cve-admin@google.com

http://www.debian.org/security/2017/dsa-3985

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/100610

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id/1039291

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2017:2676

Source: af854a3a-2127-422b-91ae-364da2661108

https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://crbug.com/747847

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201709-15

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.