CVE-2015-1302 - Vulnerability Details - OpenCVE

The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Chrome
Redhat	Rhel Extras

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6 Supplementary
chromium-browser-0:45.0.2454.101-1.el6	cpe:/a:redhat:rhel_extras:6	RHSA-2015:1841	2015-09-29T00:00:00Z

References

Link	Providers
http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html
http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html
http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html
http://rhn.redhat.com/errata/RHSA-2015-1841.html
http://www.debian.org/security/2015/dsa-3415
http://www.securityfocus.com/bid/77537
http://www.securitytracker.com/id/1034132
https://code.google.com/p/chromium/issues/detail?id=520422
https://codereview.chromium.org/1316803003
https://nvd.nist.gov/vuln/detail/CVE-2015-1302
https://security.gentoo.org/glsa/201603-09
https://www.cve.org/CVERecord?id=CVE-2015-1302

History

No history.

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2015-11-11T11:00:00

Updated: 2024-08-06T04:40:18.550Z

Reserved: 2015-01-21T00:00:00

Link: CVE-2015-1302

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-11-11T11:59:00.103

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-1302

Redhat

Severity : Important

Publid Date: 2015-11-10T00:00:00Z

Links: CVE-2015-1302 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-11-10T00:00:00", "descriptions": [{"lang": "en", "value": "The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"name": "openSUSE-SU-2015:2069", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html"}, {"name": "RHSA-2015:1841", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1841.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://code.google.com/p/chromium/issues/detail?id=520422"}, {"name": "openSUSE-SU-2015:2068", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://codereview.chromium.org/1316803003"}, {"name": "1034132", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034132"}, {"name": "GLSA-201603-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201603-09"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html"}, {"name": "DSA-3415", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3415"}, {"name": "77537", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/77537"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2015-1302", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2015:2069", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html"}, {"name": "RHSA-2015:1841", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1841.html"}, {"name": "https://code.google.com/p/chromium/issues/detail?id=520422", "refsource": "CONFIRM", "url": "https://code.google.com/p/chromium/issues/detail?id=520422"}, {"name": "openSUSE-SU-2015:2068", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html"}, {"name": "https://codereview.chromium.org/1316803003", "refsource": "CONFIRM", "url": "https://codereview.chromium.org/1316803003"}, {"name": "1034132", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034132"}, {"name": "GLSA-201603-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201603-09"}, {"name": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html", "refsource": "CONFIRM", "url": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html"}, {"name": "DSA-3415", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3415"}, {"name": "77537", "refsource": "BID", "url": "http://www.securityfocus.com/bid/77537"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:40:18.550Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2015:2069", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html"}, {"name": "RHSA-2015:1841", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1841.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://code.google.com/p/chromium/issues/detail?id=520422"}, {"name": "openSUSE-SU-2015:2068", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://codereview.chromium.org/1316803003"}, {"name": "1034132", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034132"}, {"name": "GLSA-201603-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201603-09"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html"}, {"name": "DSA-3415", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3415"}, {"name": "77537", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/77537"}]}]}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2015-1302", "datePublished": "2015-11-11T11:00:00", "dateReserved": "2015-01-21T00:00:00", "dateUpdated": "2024-08-06T04:40:18.550Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "D21D379E-92B7-4505-959C-1C08C36DC0A8", "versionEndIncluding": "46.0.2490.80", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc."}, {"lang": "es", "value": "El visor PDF en Google Chrome en versiones anteriores a 46.0.2490.86 no restringe adecuadamente mensajes de programaci\u00f3n de secuencias de comandos y la exposici\u00f3n de la API, lo que permite a atacantes remotos eludir la Same Origin Policy a trav\u00e9s de un embedder no intencionado o de la carga de un plugin no intencionado, relacionado con pdf.js y out_of_process_instance.cc."}], "id": "CVE-2015-1302", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-11T11:59:00.103", "references": [{"source": "chrome-cve-admin@google.com", "url": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html"}, {"source": "chrome-cve-admin@google.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html"}, {"source": "chrome-cve-admin@google.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html"}, {"source": "chrome-cve-admin@google.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1841.html"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.debian.org/security/2015/dsa-3415"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.securityfocus.com/bid/77537"}, {"source": "chrome-cve-admin@google.com", "url": "http://www.securitytracker.com/id/1034132"}, {"source": "chrome-cve-admin@google.com", "url": "https://code.google.com/p/chromium/issues/detail?id=520422"}, {"source": "chrome-cve-admin@google.com", "url": "https://codereview.chromium.org/1316803003"}, {"source": "chrome-cve-admin@google.com", "url": "https://security.gentoo.org/glsa/201603-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-1841.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3415"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/77537"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034132"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://code.google.com/p/chromium/issues/detail?id=520422"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://codereview.chromium.org/1316803003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201603-09"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}