CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
77.6%
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a “HEIST” attack.
Vendor | Product | Version | CPE |
---|---|---|---|
opera | opera | - | cpe:2.3:a:opera:opera:-:*:*:*:*:*:*:* |
apple | safari | * | cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* |
mozilla | firefox | * | cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* |
microsoft | edge | - | cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:* |
microsoft | internet_explorer | - | cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:* |
chrome | - | cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:* |
arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/
www.securityfocus.com/bid/92769
www.securitytracker.com/id/1036741
www.securitytracker.com/id/1036742
www.securitytracker.com/id/1036743
www.securitytracker.com/id/1036744
www.securitytracker.com/id/1036745
www.securitytracker.com/id/1036746
tom.vg/papers/heist_blackhat2016.pdf
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
77.6%