Information disclosure in Google Chrome
CVE-2016-1677
uri.js in Google V8 before 5.1.281.26, as used in Google Chrome before 51.0.2704.63, uses an incorrect array type, which allows remote attackers to obtain sensitive information by calling the decodeURI function and leveraging "type confusi…
Vulnerability class: Information Disclosure
EPSS: 0.126 (94.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
Affected products
- Google Chrome
- Google V8
- Canonical Ubuntu_linux — versions 14.04, 15.10, 16.04
- Debian Debian_linux — versions 8.0
- Opensuse Leap — versions 42.1
- Opensuse — versions 13.2
- Redhat Enterprise_linux_desktop — versions 6.0
- Redhat Enterprise_linux_server — versions 6.0
- Redhat Enterprise_linux_workstation — versions 6.0
- Suse Linux_enterprise — versions 12.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- chrome-cve-admin@google.com (x_refsource_CONFIRM)
- 90876 (vdb-entry, x_refsource_BID)
- chrome-cve-admin@google.com (x_refsource_CONFIRM)
- openSUSE-SU-2016:1496 (vendor-advisory, x_refsource_SUSE)
- 1035981 (vdb-entry, x_refsource_SECTRACK)
- DSA-3590 (vendor-advisory, x_refsource_DEBIAN)
- chrome-cve-admin@google.com (x_refsource_CONFIRM)
- USN-2992-1 (x_refsource_UBUNTU, vendor-advisory)
- openSUSE-SU-2016:1430 (vendor-advisory, x_refsource_SUSE)
- RHSA-2016:1190 (x_refsource_REDHAT, vendor-advisory)
Frequently asked questions
- What is CVE-2016-1677?
- CVE-2016-1677 is a medium-severity vulnerability in Google Chrome, classified under Information Disclosure. CVSS score: 6.5/10. Published 2016-06-05.
- How severe is CVE-2016-1677?
- Medium severity. CVSS v3 base score is 6.5 out of 10.
- Is CVE-2016-1677 known to be exploited?
- 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.