CVE-2016-5173 - Vulnerability Details - OpenCVE

The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Chrome
Redhat	Rhel Extras

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6 Supplementary
chromium-browser-0:53.0.2785.113-1.el6	cpe:/a:redhat:rhel_extras:6	RHSA-2016:1905	2016-09-16T00:00:00Z

References

Link	Providers
http://rhn.redhat.com/errata/RHSA-2016-1905.html
http://www.debian.org/security/2016/dsa-3667
http://www.securityfocus.com/bid/92942
http://www.securitytracker.com/id/1036826
https://codereview.chromium.org/1840453002
https://crbug.com/468931
https://crbug.com/471523
https://crbug.com/497507
https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html
https://nvd.nist.gov/vuln/detail/CVE-2016-5173
https://security.gentoo.org/glsa/201610-09
https://www.cve.org/CVERecord?id=CVE-2016-5173

History

No history.

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2016-09-25T20:00:00

Updated: 2024-08-06T00:53:48.201Z

Reserved: 2016-05-31T00:00:00

Link: CVE-2016-5173

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-09-25T20:59:05.807

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-5173

Redhat

Severity : Moderate

Publid Date: 2016-09-13T00:00:00Z

Links: CVE-2016-5173 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-09-13T00:00:00", "descriptions": [{"lang": "en", "value": "The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"name": "DSA-3667", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3667"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://codereview.chromium.org/1840453002"}, {"name": "1036826", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036826"}, {"name": "92942", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92942"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://crbug.com/468931"}, {"tags": ["x_refsource_MISC"], "url": "https://crbug.com/497507"}, {"name": "GLSA-201610-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201610-09"}, {"name": "RHSA-2016:1905", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1905.html"}, {"tags": ["x_refsource_MISC"], "url": "https://crbug.com/471523"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2016-5173", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3667", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3667"}, {"name": "https://codereview.chromium.org/1840453002", "refsource": "CONFIRM", "url": "https://codereview.chromium.org/1840453002"}, {"name": "1036826", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036826"}, {"name": "92942", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92942"}, {"name": "https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html", "refsource": "CONFIRM", "url": "https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html"}, {"name": "https://crbug.com/468931", "refsource": "CONFIRM", "url": "https://crbug.com/468931"}, {"name": "https://crbug.com/497507", "refsource": "MISC", "url": "https://crbug.com/497507"}, {"name": "GLSA-201610-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201610-09"}, {"name": "RHSA-2016:1905", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-1905.html"}, {"name": "https://crbug.com/471523", "refsource": "MISC", "url": "https://crbug.com/471523"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:53:48.201Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3667", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3667"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://codereview.chromium.org/1840453002"}, {"name": "1036826", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1036826"}, {"name": "92942", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/92942"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://crbug.com/468931"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crbug.com/497507"}, {"name": "GLSA-201610-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201610-09"}, {"name": "RHSA-2016:1905", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1905.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crbug.com/471523"}]}]}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2016-5173", "datePublished": "2016-09-25T20:00:00", "dateReserved": "2016-05-31T00:00:00", "dateUpdated": "2024-08-06T00:53:48.201Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC271026-1CD7-42F7-8754-1C5144AD590B", "versionEndIncluding": "53.0.2785.101", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack."}, {"lang": "es", "value": "El subsistema de extensiones en Google Chrome en versiones anteriores a 53.0.2785.113 no restringe adecuadamente el acceso a Object.prototype, lo que permite a atacantes remotos cargar recursos no intencionados y consecuentemente desencadenar llamas de funci\u00f3n JavaScript no intencionadas y eludir la Same Origin Policy a trav\u00e9s de un ataque de interceptaci\u00f3n indirecto."}], "id": "CVE-2016-5173", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-09-25T20:59:05.807", "references": [{"source": "chrome-cve-admin@google.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-1905.html"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.debian.org/security/2016/dsa-3667"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.securityfocus.com/bid/92942"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.securitytracker.com/id/1036826"}, {"source": "chrome-cve-admin@google.com", "url": "https://codereview.chromium.org/1840453002"}, {"source": "chrome-cve-admin@google.com", "url": "https://crbug.com/468931"}, {"source": "chrome-cve-admin@google.com", "url": "https://crbug.com/471523"}, {"source": "chrome-cve-admin@google.com", "url": "https://crbug.com/497507"}, {"source": "chrome-cve-admin@google.com", "url": "https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://security.gentoo.org/glsa/201610-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-1905.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3667"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/92942"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1036826"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://codereview.chromium.org/1840453002"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://crbug.com/468931"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://crbug.com/471523"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://crbug.com/497507"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201610-09"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}