The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome prior to 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote malicious users to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
google chrome |