CVE-2018-16073 - OpenCVE

Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Google	Chrome

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

References

Link	Resource
https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html
https://crbug.com/863069

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Chrome

Published: 2019-06-27T16:13:41

Updated: 2019-06-27T16:13:41

Reserved: 2018-08-29T00:00:00

Link: CVE-2018-16073

JSON object: View

NVD Information

Status : Modified

Published: 2019-06-27T17:15:11.507

Modified: 2023-11-07T02:53:31.343

Link: CVE-2018-16073

JSON object: View

Redhat Information

No data.

CWE

CWE-285

{"containers": {"cna": {"affected": [{"product": "Chrome", "vendor": "Google", "versions": [{"lessThan": "69.0.3497.81", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page."}], "problemTypes": [{"descriptions": [{"description": "Insufficient policy enforcement", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-27T16:13:41", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html"}, {"tags": ["x_refsource_MISC"], "url": "https://crbug.com/863069"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2018-16073", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chrome", "version": {"version_data": [{"version_affected": "<", "version_value": "69.0.3497.81"}]}}]}, "vendor_name": "Google"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficient policy enforcement"}]}]}, "references": {"reference_data": [{"name": "https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html", "refsource": "MISC", "url": "https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html"}, {"name": "https://crbug.com/863069", "refsource": "MISC", "url": "https://crbug.com/863069"}]}}}}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2018-16073", "datePublished": "2019-06-27T16:13:41", "dateReserved": "2018-08-29T00:00:00", "dateUpdated": "2019-06-27T16:13:41", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "ECB006CE-58CC-4333-A303-C265D2B5EFC6", "versionEndExcluding": "69.0.3497.81", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page."}, {"lang": "es", "value": "La aplicaci\u00f3n insuficiente de pol\u00edticas en el aislamiento del sitio en Google Chrome antes de 69.0.3497.81 permiti\u00f3 a un atacante remoto omitir el aislamiento del sitio a trav\u00e9s de una p\u00e1gina HTML dise\u00f1ada."}], "id": "CVE-2018-16073", "lastModified": "2023-11-07T02:53:31.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-27T17:15:11.507", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://crbug.com/863069"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "nvd@nist.gov", "type": "Primary"}]}