5.3

CVE-2016-7152

EPSS 2.28%
Published 06.09.2016 10:59:00
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.

Affected products Warnungen 0 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Opera ≫ Opera Version-

Apple ≫ Safari

Mozilla ≫ Firefox

Microsoft ≫ Edge Version-

Microsoft ≫ Internet Explorer Version-

Google ≫ Chrome Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.28%	0.841

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/

Technical Description

http://www.securityfocus.com/bid/92769

http://www.securitytracker.com/id/1036741

http://www.securitytracker.com/id/1036742

http://www.securitytracker.com/id/1036743

http://www.securitytracker.com/id/1036744

http://www.securitytracker.com/id/1036745

http://www.securitytracker.com/id/1036746

https://tom.vg/papers/heist_blackhat2016.pdf

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2016-7152

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-7152

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-7152

EUVD