cnvd - cnvd-2017-02748

CNVD-2017-02748

Vulnerability from cnvd - Published: 2017-03-15

Title

Yandex Browser for desktop安全绕过漏洞

Description

Yandex Browser for desktop是俄罗斯Yandex公司的一款桌面版浏览器。 Yandex Browser for desktop 17.1.1.227之前的版本存在安全漏洞。攻击者可利用该漏洞阻止恶意网站上出现保护警告。

Severity

中

Patch Name

Yandex Browser for desktop安全绕过漏洞的补丁

Patch Description

Yandex Browser for desktop是俄罗斯Yandex公司的一款桌面版浏览器。 Yandex Browser for desktop 17.1.1.227之前的版本存在安全漏洞。攻击者可利用该漏洞阻止恶意网站上出现保护警告。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://yandex.com/blog/security-changelogs/fixed-in-version-17-1

Reference

https://yandex.com/blog/security-changelogs/fixed-in-version-17-1

Impacted products

Name
['Yandex Browser 16.1', 'Yandex Browser 16.0', 'Yandex Browser 15.12', 'Yandex Browser 15.11', 'Yandex Browser 15.10', 'Yandex Browser 16.8', 'Yandex Browser 16.7', 'Yandex Browser 16.9', 'Yandex Browser 16.6', 'Yandex Browser 16.5', 'Yandex Browser 16.4', 'Yandex Browser 16.2', 'Yandex Browser 13.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "96514"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-8508"
    }
  },
  "description": "Yandex Browser for desktop\u662f\u4fc4\u7f57\u65afYandex\u516c\u53f8\u7684\u4e00\u6b3e\u684c\u9762\u7248\u6d4f\u89c8\u5668\u3002\r\n\r\nYandex Browser for desktop 17.1.1.227\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u963b\u6b62\u6076\u610f\u7f51\u7ad9\u4e0a\u51fa\u73b0\u4fdd\u62a4\u8b66\u544a\u3002",
  "discovererName": "Oleynik Yaroslav",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://yandex.com/blog/security-changelogs/fixed-in-version-17-1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-02748",
  "openTime": "2017-03-15",
  "patchDescription": "Yandex Browser for desktop\u662f\u4fc4\u7f57\u65afYandex\u516c\u53f8\u7684\u4e00\u6b3e\u684c\u9762\u7248\u6d4f\u89c8\u5668\u3002\r\n\r\nYandex Browser for desktop 17.1.1.227\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u963b\u6b62\u6076\u610f\u7f51\u7ad9\u4e0a\u51fa\u73b0\u4fdd\u62a4\u8b66\u544a\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Yandex Browser for desktop\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Yandex Browser 16.1",
      "Yandex Browser  16.0",
      "Yandex Browser  15.12",
      "Yandex Browser 15.11",
      "Yandex Browser  15.10",
      "Yandex Browser 16.8",
      "Yandex Browser  16.7",
      "Yandex Browser 16.9",
      "Yandex Browser  16.6",
      "Yandex Browser  16.5",
      "Yandex Browser  16.4",
      "Yandex Browser  16.2",
      "Yandex Browser  13.1"
    ]
  },
  "referenceLink": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1",
  "serverity": "\u4e2d",
  "submitTime": "2017-03-03",
  "title": "Yandex Browser for desktop\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2016-8508 (GCVE-0-2016-8508)

Vulnerability from cvelistv5 – Published: 2017-03-01 15:00 – Updated: 2024-08-06 02:27

Summary

Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site.

Severity ?

No CVSS data available.

CWE

Yandex Browser Protect mechanism bypass

Assigner

yandex

References

URL

Tags

	http://www.securityfocus.com/bid/96514	vdb-entryx_refsource_BID
	https://yandex.com/blog/security-changelogs/fixed…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Yandex N.V.	Yandex Browser for desktop	Affected: before 17.1.1.227 for OSx and Windows

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:27:40.931Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "96514",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/96514"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Yandex Browser for desktop",
          "vendor": "Yandex N.V.",
          "versions": [
            {
              "status": "affected",
              "version": "before 17.1.1.227 for OSx and Windows"
            }
          ]
        }
      ],
      "datePublic": "2017-02-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Yandex Browser Protect mechanism bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-03-03T10:57:02",
        "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "shortName": "yandex"
      },
      "references": [
        {
          "name": "96514",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/96514"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "browser-security@yandex-team.ru",
          "ID": "CVE-2016-8508",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Yandex Browser for desktop",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 17.1.1.227 for OSx and Windows"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Yandex N.V."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser Protect mechanism bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "96514",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/96514"
            },
            {
              "name": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1",
              "refsource": "CONFIRM",
              "url": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
    "assignerShortName": "yandex",
    "cveId": "CVE-2016-8508",
    "datePublished": "2017-03-01T15:00:00",
    "dateReserved": "2016-10-07T00:00:00",
    "dateUpdated": "2024-08-06T02:27:40.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-02748

CVE-2016-8508 (GCVE-0-2016-8508)

Tags

Sightings

Nomenclature