The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01201.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
n/a n/a affected
Version Status Constraints
n/a affected

Configuration 1 [-]

AND
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
OR cpe:2.3:o:apple:mac_os_x:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors Products
Apple Subscribe
Iphone Os Subscribe
Mac Os X Subscribe
Debian Subscribe
Debian Linux Subscribe
Google Subscribe
Android Subscribe
Chrome Subscribe
Linux Subscribe
Linux Kernel Subscribe
Microsoft Subscribe
Windows Subscribe
Advisories
Source ID Title
Debian DSA Debian DSA DSA-3039-1 chromium-browser security update
EUVD EUVD EUVD-2014-3184 The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.
Ubuntu USN Ubuntu USN USN-2320-1 Oxide vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://googlechromereleases.blogspot.com/2014/08/chrome-for-android-update.html cve-icon cve-icon
http://googlechromereleases.blogspot.com/2014/08/chrome-for-ios-update.html cve-icon cve-icon
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html cve-icon cve-icon
http://secunia.com/advisories/59693 cve-icon cve-icon
http://secunia.com/advisories/59904 cve-icon cve-icon
http://secunia.com/advisories/60685 cve-icon cve-icon
http://secunia.com/advisories/60798 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-201408-16.xml cve-icon cve-icon
http://www.debian.org/security/2014/dsa-3039 cve-icon cve-icon
http://www.ietf.org/mail-archive/web/tls/current/msg13345.html cve-icon cve-icon
http://www.securityfocus.com/bid/69202 cve-icon cve-icon
http://www.securitytracker.com/id/1030732 cve-icon cve-icon
https://code.google.com/p/chromium/issues/detail?id=398925 cve-icon cve-icon
https://src.chromium.org/viewvc/chrome?revision=286598&view=revision cve-icon cve-icon
https://src.chromium.org/viewvc/chrome?revision=288435&view=revision cve-icon cve-icon
History

No history.

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2024-08-06T10:35:56.615Z

Reserved: 2014-05-03T00:00:00.000Z

Link: CVE-2014-3166

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2014-08-13T04:57:12.613

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-3166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses