CVE-2017-5120
Last modified
CVE-2017-5120 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Inappropriate use of www mismatch redirects in browser navigation in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to potentially downgrade HTTPS requests to HTTP via a crafted HTML page. In other words, Chrome could transmit cleartext even though the user had entered an https URL, because of a misdesigned workaround for cases where the domain name in a URL almost matches the domain name in an X.509 server certificate (but differs in the initial "www." substring).. EPSS estimates a 1.13% chance of exploitation in the next 30 days.
Description
Inappropriate use of www mismatch redirects in browser navigation in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to potentially downgrade HTTPS requests to HTTP via a crafted HTML page. In other words, Chrome could transmit cleartext even though the user had entered an https URL, because of a misdesigned workaround for cases where the domain name in a URL almost matches the domain name in an X.509 server certificate (but differs in the initial "www." substring).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Chrome | < 61.0.3163.79 | |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Chrome | < 61.0.3163.81 | |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Workstation | 6.0 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-5120?
How severe is CVE-2017-5120?
How do I fix CVE-2017-5120?
Are you affected by CVE-2017-5120?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST