CVE-2016-1697
First published: Thu Jun 02 2016(Updated: )
The FrameLoader::startLoad function in WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 51.0.2704.79, does not prevent frame navigations during DocumentLoader detach operations, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
Credit: cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Chrome | <51.0.2704.79 | 51.0.2704.79 |
| Google Chrome | <=51.0.2704.63 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =15.10 | |
| Ubuntu Linux | =16.04 | |
| Debian | =8.0 | |
| SUSE openSUSE | =42.1 | |
| openSUSE libeconf | =13.2 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| SUSE Linux Enterprise Server | =12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://code.google.com/p/chromium/issues/detail?id=613266
- http://googlechromereleases.blogspot.com/2016/06/stable-channel-update.html
- https://access.redhat.com/errata/RHSA-2016:1201
- https://bugzilla.redhat.com/show_bug.cgi?id=1342002
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00005.html
- http://www.debian.org/security/2016/dsa-3594
- http://www.securitytracker.com/id/1036026
- http://www.ubuntu.com/usn/USN-2992-1
- https://codereview.chromium.org/2021373003
- https://crbug.com/613266
Frequently Asked Questions
What is the severity of CVE-2016-1697?
CVE-2016-1697 is classified as a high severity vulnerability due to its potential for bypassing the Same Origin Policy.
How do I fix CVE-2016-1697?
To fix CVE-2016-1697, you need to upgrade to Google Chrome version 51.0.2704.79 or later.
What systems are affected by CVE-2016-1697?
CVE-2016-1697 affects Google Chrome versions prior to 51.0.2704.79 and specific Linux distributions such as Ubuntu, Debian, and openSUSE using older versions.
What types of attacks can exploit CVE-2016-1697?
CVE-2016-1697 can be exploited by remote attackers through crafted JavaScript to manipulate frame navigations.
Is CVE-2016-1697 still a concern for modern browsers?
CVE-2016-1697 is not a concern for modern browsers as browsers have since updated to versions that address this vulnerability.
- agent/references
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-1697
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- package-manager/redhat
- vendor/google
- canonical/google chrome
- version/google chrome/51.0.2704.63
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/15.10
- version/ubuntu linux/16.04
- vendor/debian
- canonical/debian
- version/debian/8.0
- vendor/opensuse
- canonical/suse opensuse
- version/suse opensuse/42.1
- canonical/opensuse libeconf
- version/opensuse libeconf/13.2
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- vendor/suse
- canonical/suse linux enterprise server
- version/suse linux enterprise server/12.0