Google Chrome up to 2.0.172.32 view-source CanRequestURL resource management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Google Chrome up to 2.0.172.32. It has been declared as problematic. This vulnerability affects the function ChildProcessSecurityPolicy::CanRequestURL of the component view-source. The manipulation leads to resource management.
This vulnerability was named CVE-2010-0664. There is no exploit available.
It is recommended to upgrade the affected component.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Details
A vulnerability was found in Google Chrome up to 2.0.172.32 (Web Browser). It has been classified as problematic. This affects the function ChildProcessSecurityPolicy::CanRequestURL of the component view-source. The manipulation with an unknown input leads to a resource management vulnerability. CWE is classifying the issue as CWE-399. This is going to have an impact on availability. The summary by CVE is:
Stack consumption vulnerability in the ChildProcessSecurityPolicy::CanRequestURL function in browser/child_process_security_policy.cc in Google Chrome before 4.0.249.78 allows remote attackers to cause a denial of service (memory consumption and application crash) via a URL that specifies multiple protocols, as demonstrated by a URL that begins with many repetitions of the view-source: substring.
The weakness was released 02/18/2010 by Michal Zalewski with Chromium Development Community (Website). It is possible to read the advisory at googlechromereleases.blogspot.com. This vulnerability is uniquely identified as CVE-2010-0664. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 44317 (Google Chrome < 4.0.249.78 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows. The commercial vulnerability scanner Qualys is able to test this issue with plugin 116835 (Google Chrome Prior to 4.0.249.78 Multiple Security Vulnerabilities).
Upgrading to version 2.0.172.33 eliminates this vulnerability. The upgrade is hosted for download at chrome.google.com.
The vulnerability is also documented in the databases at X-Force (55989), Tenable (44317), SecurityFocus (BID 37948†), SecurityTracker (ID 1023506†) and Vulnerability Center (SBV-27363†). Entries connected to this vulnerability are available at VDB-51890, VDB-51889, VDB-51888 and VDB-51887. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
- 2.0.172.0
- 2.0.172.1
- 2.0.172.2
- 2.0.172.3
- 2.0.172.4
- 2.0.172.5
- 2.0.172.6
- 2.0.172.7
- 2.0.172.8
- 2.0.172.9
- 2.0.172.10
- 2.0.172.11
- 2.0.172.12
- 2.0.172.13
- 2.0.172.14
- 2.0.172.15
- 2.0.172.16
- 2.0.172.17
- 2.0.172.18
- 2.0.172.19
- 2.0.172.20
- 2.0.172.21
- 2.0.172.22
- 2.0.172.23
- 2.0.172.24
- 2.0.172.25
- 2.0.172.26
- 2.0.172.27
- 2.0.172.28
- 2.0.172.29
- 2.0.172.30
- 2.0.172.31
- 2.0.172.32
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 44317
Nessus Name: Google Chrome < 4.0.249.78 Multiple Vulnerabilities
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 902121
OpenVAS Name: Google Chrome Multiple Vulnerabilities - (Win)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Chrome 2.0.172.33
Timeline
01/25/2010 🔍01/25/2010 🔍
02/18/2010 🔍
02/18/2010 🔍
02/18/2010 🔍
10/04/2010 🔍
03/18/2015 🔍
02/01/2025 🔍
Sources
Vendor: google.comProduct: google.com
Advisory: googlechromereleases.blogspot.com
Researcher: Michal Zalewski
Organization: Chromium Development Community
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2010-0664 (🔍)
GCVE (CVE): GCVE-0-2010-0664
GCVE (VulDB): GCVE-100-51891
OVAL: 🔍
X-Force: 55989
SecurityFocus: 37948 - Google Chrome prior to 4.0.249.78 Multiple Security Vulnerabilities
SecurityTracker: 1023506
Vulnerability Center: 27363 - Google Chrome before 4.0.249.78 Remote Stack Consumption Vulnerability, Medium
See also: 🔍
Entry
Created: 03/18/2015 03:15 PMUpdated: 02/01/2025 06:53 PM
Changes: 03/18/2015 03:15 PM (64), 03/06/2017 11:15 AM (10), 09/02/2021 02:41 PM (4), 09/02/2021 02:42 PM (1), 12/08/2024 05:14 AM (17), 02/01/2025 06:53 PM (2)
Complete: 🔍
Cache ID: 18:B7E:40
No comments yet. Languages: en.
Please log in to comment.