Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-6512

Cross-domain vulnerability in the WorkerPool API in Google Gears before 0.5.4.2 allows remote attackers to bypass the Same Origin Policy and the intended access restrictions of the allowCrossOrigin function by hosting an assumed-safe file type containing Google Gear commands on the target domain, then accessing that file from the attacking domain, whose response headers are not checked and cause the worker code to run in the target domain.

Published

2009-03-24T14:30:00.187

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	google	gears	≤ 0.5	Yes
Application	google	gears	0.1	Yes
Application	google	gears	0.2	Yes
Application	google	gears	0.3	Yes
Application	google	gears	0.4	Yes

References

http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html Exploit ([email protected])
http://code.google.com/apis/gears/upcoming/api_workerpool.html#cross_origin Vendor Advisory ([email protected])
http://lists.grok.org.uk/pipermail/full-disclosure/2008-December/066291.html ([email protected])
http://secunia.com/advisories/33062 Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/32698 ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/47173 ([email protected])
http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://code.google.com/apis/gears/upcoming/api_workerpool.html#cross_origin Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.grok.org.uk/pipermail/full-disclosure/2008-December/066291.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/33062 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/32698 (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/47173 (af854a3a-2127-422b-91ae-364da2661108)