Vulnerability Name: | CVE-2016-7153 (CCN-116623) | ||||||||||||||||||||
Assigned: | 2016-08-03 | ||||||||||||||||||||
Published: | 2016-08-03 | ||||||||||||||||||||
Updated: | 2017-02-19 | ||||||||||||||||||||
Summary: | The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack. | ||||||||||||||||||||
CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 4.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C)
4.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C)
| ||||||||||||||||||||
CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||||||||||
Vulnerability Type: | CWE-200 | ||||||||||||||||||||
Vulnerability Consequences: | Obtain Information | ||||||||||||||||||||
References: | Source: CCN Type: Ars Technica Web site New attack steals SSNs, e-mail addresses, and more from HTTPS pages Source: MISC Type: Technical Description http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/ Source: MITRE Type: CNA CVE-2016-7153 Source: CCN Type: IBM Security Bulletin 2000816 (Application Performance Management) A vulnerability in the Firefox component of the Synthetic Playback agent affects IBM Performance Management products. Source: BID Type: UNKNOWN 92773 Source: CCN Type: BID-92773 HTTP/2 CVE-2016-7153 Information Disclosure Vulnerability Source: SECTRACK Type: UNKNOWN 1036741 Source: SECTRACK Type: UNKNOWN 1036742 Source: SECTRACK Type: UNKNOWN 1036743 Source: SECTRACK Type: UNKNOWN 1036744 Source: SECTRACK Type: UNKNOWN 1036745 Source: SECTRACK Type: UNKNOWN 1036746 Source: XF Type: UNKNOWN multiple-browsers-cve20167153-info-disc(116623) Source: MISC Type: Technical Description https://tom.vg/papers/heist_blackhat2016.pdf | ||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration 4: Configuration 5: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||
| |||||||||||||||||||||
BACK |