1040340 – (CVE-2017-1000025) VUL-0: CVE-2017-1000025: epiphany: Remote exfiltration of stored passwords

Bug 1040340 (CVE-2017-1000025) - VUL-0: CVE-2017-1000025: epiphany: Remote exfiltration of stored passwords

Summary: VUL-0: CVE-2017-1000025: epiphany: Remote exfiltration of stored passwords

Status:	RESOLVED FIXED

Alias:	CVE-2017-1000025

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	openSUSE GNOME
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/185707/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2017-05-23 10:22 UTC by Johannes Segitz
Modified:	2024-06-10 18:04 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-05-23 10:22:22 UTC

CVE-2017-1000025

https://bugzilla.gnome.org/show_bug.cgi?id=752738
The page http://whatever.com has access to saved passwords of https://whatever.com. This was a very bad idea: it makes it easy to intercept passwords stored on secure websites, especially since we don't require any user interaction to fill in the password.

More details in the bug

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000000
http://seclists.org/oss-sec/2017/q2/314
https://github.com/distributedweaknessfiling/DWF-CVE-2017-1000000/blob/f2e15ac3468dd382d9ffa3d5acc032c106f3248c/CVE-2017-1000025.json

Comment 2 Camila Camargo de Matos 2024-06-10 18:04:29 UTC

Fixed in version 3.23.5 of epiphany.