CVE-2017-5020

Publication date 17 February 2017

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.1 · Medium

Score breakdown

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to require a user gesture for powerful download operations, which allowed a remote attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted HTML page.

Status

Package Ubuntu Release Status
chromium-browser 17.04 zesty
Fixed 56.0.2924.76-0ubuntu2.1343
16.10 yakkety
Fixed 56.0.2924.76-0ubuntu0.16.10.1335
16.04 LTS xenial
Fixed 56.0.2924.76-0ubuntu0.16.04.1268
14.04 LTS trusty
Fixed 58.0.3029.81-0ubuntu0.14.04.1172
12.04 LTS precise Ignored
oxide-qt 17.04 zesty
Not affected
16.10 yakkety
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Not in release
12.04 LTS precise Not in release

Severity score breakdown

Parameter Value
Base score 6.1 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N