CVE-2015-6786 in Chromeinfo

Summary

by MITRE

The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CSPSourceList.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts a blob:, data:, or filesystem: URL as a match for a * pattern, which allows remote attackers to bypass intended scheme restrictions in opportunistic circumstances by leveraging a policy that relies on this pattern.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/28/2022

The vulnerability identified as CVE-2015-6786 resides within the Content Security Policy implementation of Google Chrome, specifically within the WebKit rendering engine's CSPSourceList::matches function. This flaw represents a critical bypass mechanism that undermines the security controls designed to restrict resource loading based on URL schemes. The vulnerability affects Chrome versions prior to 47.0.2526.73, where the Content Security Policy enforcement mechanism fails to properly validate certain URL schemes when matching against wildcard patterns, creating an unexpected loophole in the security model.

The technical flaw manifests when the CSPSourceList::matches function processes URL patterns that include the asterisk wildcard character, which should theoretically match any scheme. However, the implementation incorrectly accepts blob:, data:, and filesystem: URLs as valid matches for the wildcard pattern, despite these being distinct and potentially dangerous schemes. This behavior violates the fundamental principle of URL scheme validation where each scheme should be treated distinctly based on its security characteristics and access permissions. The function fails to properly differentiate between these special URL schemes and conventional schemes like http or https, leading to a situation where attackers can exploit this inconsistency to bypass intended restrictions.

This vulnerability creates significant operational impact by allowing remote attackers to circumvent Content Security Policy restrictions that were designed to prevent loading resources from potentially malicious sources. The opportunistic nature of this attack means that exploitation is possible when a web application implements CSP policies that rely on wildcard patterns for scheme matching, particularly in scenarios where blob:, data:, or filesystem: URLs might be used to load content. Attackers can leverage this weakness to inject or execute malicious code by crafting CSP policies that appear to block dangerous schemes but inadvertently permit these special URL schemes to pass through the validation mechanism. The impact extends beyond simple bypass scenarios as it undermines the entire foundation of CSP-based security controls that organizations rely upon to prevent cross-site scripting and data injection attacks.

The vulnerability aligns with CWE-284, which addresses inadequate access control mechanisms, and specifically relates to improper validation of URL schemes within security policies. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and defense evasion, as it allows attackers to bypass security controls that would normally prevent execution of malicious content. The attack surface is particularly concerning in environments where CSP policies are used as primary defense mechanisms against XSS attacks, as the vulnerability essentially renders these policies ineffective against certain classes of attacks. Organizations implementing CSP policies that rely on wildcard patterns for scheme matching are particularly vulnerable to this type of attack, as the security model assumes that wildcard patterns will properly restrict all possible schemes while this flaw demonstrates that specific special schemes can bypass these restrictions.

Mitigation strategies should focus on immediate patching of affected Chrome versions to 47.0.2526.73 or later, where the vulnerability has been addressed through proper URL scheme validation in the CSP implementation. Security teams should also review existing CSP policies to identify any reliance on wildcard patterns for scheme matching and consider implementing more restrictive policies that explicitly enumerate allowed schemes rather than relying on broad patterns. Additionally, organizations should implement monitoring for unusual CSP violations and consider additional security layers such as strict CSP directives, subresource integrity checks, and regular security auditing of web applications to identify potential exploitation attempts. The fix implemented by Google involved strengthening the URL scheme validation logic to properly distinguish between special URL schemes and conventional schemes, ensuring that blob:, data:, and filesystem: URLs are not accepted as matches for wildcard patterns in CSP policy enforcement.

Reservation

08/31/2015

Disclosure

12/05/2015

Moderation

accepted

Entry

VDB-79369

CPE

ready

EPSS

0.01721

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!