{"containers": {"cna": {"affected": [{"product": "Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android", "vendor": "n/a", "versions": [{"status": "affected", "version": "Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android"}]}], "datePublic": "2017-03-09T00:00:00", "descriptions": [{"lang": "en", "value": "Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword."}], "problemTypes": [{"descriptions": [{"description": "insufficient policy enforcement", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/Ma7h1as/status/907641276434063361"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://crbug.com/669086"}, {"name": "GLSA-201704-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201704-02"}, {"name": "DSA-3810", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3810"}, {"name": "96767", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96767"}, {"name": "RHSA-2017:0499", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2017-5033", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android", "version": {"version_data": [{"version_value": "Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "insufficient policy enforcement"}]}]}, "references": {"reference_data": [{"name": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html", "refsource": "CONFIRM", "url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"}, {"name": "https://twitter.com/Ma7h1as/status/907641276434063361", "refsource": "MISC", "url": "https://twitter.com/Ma7h1as/status/907641276434063361"}, {"name": "https://crbug.com/669086", "refsource": "CONFIRM", "url": "https://crbug.com/669086"}, {"name": "GLSA-201704-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201704-02"}, {"name": "DSA-3810", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3810"}, {"name": "96767", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96767"}, {"name": "RHSA-2017:0499", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:47:44.424Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/Ma7h1as/status/907641276434063361"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://crbug.com/669086"}, {"name": "GLSA-201704-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201704-02"}, {"name": "DSA-3810", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3810"}, {"name": "96767", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96767"}, {"name": "RHSA-2017:0499", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"}]}]}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2017-5033", "datePublished": "2017-04-24T23:00:00", "dateReserved": "2017-01-02T00:00:00", "dateUpdated": "2024-08-05T14:47:44.424Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B9559EF-FA8D-4452-BD04-243F0BD5389D", "versionEndIncluding": "57.0.2987.75", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "78D4802A-D418-48B0-AB99-B9F28C66F6C4", "versionEndIncluding": "57.0.2987.100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword."}, {"lang": "es", "value": "Blink en Google Chrome, en versiones anteriores a la 57.0.2987.98 para Mac, Windows y Linux y 57.0.2987.108 para Android, no propagaba correctamente las restricciones CSP a las p\u00e1ginas de temas locales, lo que permit\u00eda que un atacante remoto omitiese la pol\u00edtica de seguridad de contenido (CSP) mediante una p\u00e1gina HTML manipulada. Esto est\u00e1 relacionado con la palabra clave de unsafe-inline."}], "id": "CVE-2017-5033", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-24T23:59:00.300", "references": [{"source": "chrome-cve-admin@google.com", "url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.debian.org/security/2017/dsa-3810"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.securityfocus.com/bid/96767"}, {"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://crbug.com/669086"}, {"source": "chrome-cve-admin@google.com", "url": "https://security.gentoo.org/glsa/201704-02"}, {"source": "chrome-cve-admin@google.com", "url": "https://twitter.com/Ma7h1as/status/907641276434063361"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2017/dsa-3810"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/96767"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://crbug.com/669086"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201704-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://twitter.com/Ma7h1as/status/907641276434063361"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-281"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:0499", "cpe": "cpe:/a:redhat:rhel_extras:6", "package": "chromium-browser-0:57.0.2987.98-1.el6", "product_name": "Red Hat Enterprise Linux 6 Supplementary", "release_date": "2017-03-14T00:00:00Z"}], "bugzilla": {"description": "chromium-browser: bypass of content security policy in blink", "id": "1431042", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431042"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "details": ["Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword."], "name": "CVE-2017-5033", "public_date": "2017-03-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-5033\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-5033\nhttps://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"], "threat_severity": "Moderate"}

{}