Google Chrome CVE-2015-6785 Weak Authentication Vulnerability

description-logoDescription

The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts an x.y hostname as a match for a *.x.y pattern, which might allow remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging a policy that was intended to be specific to subdomains.

affected-products-logoAffected Applications

Google Chrome

CVE References

CVE-2015-6785