Executive Summary
Summary | |
---|---|
Title | Proxy auto-config (PAC) files have access to full HTTPS URLs |
Informations | |||
---|---|---|---|
Name | VU#877625 | First vendor Publication | 2016-08-04 |
Vendor | VU-CERT | Last vendor Modification | 2016-08-30 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#877625Proxy auto-config (PAC) files have access to full HTTPS URLsOverviewWeb proxy auto-config (PAC) files are passed the full HTTPS URL in GET requests which may expose sensitive data. Description
Impact
Solution
Vendor Information (Learn More)
CVSS Metrics (Learn More)
References
CreditThanks to Bas Venis for reporting this vulnerability. We also would like to thank Itzik Kotler and Amit Klien for their presentation at Black Hat 2016, and Alex Chapman and Paul Stone for their presentation at DEF CON 24 This document was written by Trent Novelly. Other Information
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email. |
Original Source
Url : http://www.kb.cert.org/vuls/id/877625 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-10-31 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201610-09.nasl - Type : ACT_GATHER_INFO |
2016-08-08 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-3041-1.nasl - Type : ACT_GATHER_INFO |
2016-08-02 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3637.nasl - Type : ACT_GATHER_INFO |
2016-08-01 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-919.nasl - Type : ACT_GATHER_INFO |
2016-07-29 | Name : A web browser installed on the remote Windows host is affected by multiple vu... File : google_chrome_52_0_2743_82.nasl - Type : ACT_GATHER_INFO |
2016-07-29 | Name : A web browser installed on the remote Mac OS X host is affected by multiple v... File : macosx_google_chrome_52_0_2743_82.nasl - Type : ACT_GATHER_INFO |
2016-07-26 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-900.nasl - Type : ACT_GATHER_INFO |
2016-07-26 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-901.nasl - Type : ACT_GATHER_INFO |
2016-07-26 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-1485.nasl - Type : ACT_GATHER_INFO |
2016-07-25 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6fae9fe1504811e68aa73065ec8fd3ec.nasl - Type : ACT_GATHER_INFO |
2016-05-24 | Name : The remote device is affected by multiple vulnerabilities. File : appletv_9_2_1.nasl - Type : ACT_GATHER_INFO |
2016-05-19 | Name : The remote Mac OS X host is affected by multiple vulnerabilities. File : macosx_10_11_5.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-08-30 21:24:54 |
|
2016-08-04 21:23:49 |
|