Sign-up

ID

VAR-201007-0330


CVE

CVE-2010-1796


TITLE

Apple Safari of AutoFill Vulnerability in obtaining address book card information in functions

Trust: 0.8

sources: JVNDB: JVNDB-2010-001846

DESCRIPTION

The AutoFill feature in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to obtain sensitive Address Book Card information via JavaScript code that forces keystroke events for input fields. Safari is prone to multiple security vulnerabilities that have been addressed in Apple security advisory APPLE-SA-2010-07-28-1. Attackers can exploit these issues by enticing an unsuspecting user into visiting a malicious webpage. Successful attacks may result in information disclosure, remote code execution, denial of service, or other consequences. This BID is being retired. The following individual records exist to better document these issues: 41884 Apple Safari Personal Address Book AutoFill Information Disclosure Weakness 42034 WebKit Inline Elements Remote Memory Corruption Vulnerability 42035 WebKit CVE-2010-1783 Remote Memory Corruption Vulnerability 42036 WebKit CSS Counters Remote Memory Corruption Vulnerability 42037 WebKit ':first-letter' and ':first-line' Pseudo-Elements Remote Memory Corruption Vulnerability 42038 WebKit CVE-2010-1787 Floating Elements Remote Memory Corruption Vulnerability 42039 Apple Safari RSS Feed Information Disclosure Vulnerability 42041 WebKit 'use' Element Handling Remote Memory Corruption Vulnerability 42042 WebKit Regular Expression Handling Remote Memory Corruption Vulnerability 42043 WebKit Just-In-Time Compiled JavaScript Stubs Remote Code Execution Vulnerability 42044 WebKit Element Focus Use-After-Free Remote Code Execution Vulnerability 42045 WebKit JavaScript Array Signedness Error Remote Code Execution Vulnerability 42046 WebKit 'foreignObject' Elements Use-After-Free Remote Code Execution Vulnerability 42048 WebKit JavaScript String Object Remote Heap Based Buffer Overflow Vulnerability 42049 WebKit 'font-face' and 'use' Elements Use-After-Free Remote Code Execution Vulnerability. A remote attacker can exploit this issue to obtain sensitive information that may aid in further attacks. Safari 5.0 is vulnerable; other versions may also be affected

Trust: 2.25

sources: NVD: CVE-2010-1796 // JVNDB: JVNDB-2010-001846 // BID: 42020 // BID: 41884 // VULHUB: VHN-44401

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:4.0.5

Trust: 2.2

vendor:applemodel:safariscope:eqversion:4.0.4

Trust: 2.2

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 2.2

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 2.2

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 2.2

vendor:applemodel:safariscope:eqversion:4.0.0b

Trust: 1.6

vendor:applemodel:safariscope:eqversion:4.0

Trust: 1.6

vendor:applemodel:safariscope:eqversion:4

Trust: 1.4

vendor:applemodel:safariscope:eqversion:4.1

Trust: 1.2

vendor:applemodel:safariscope:lteversion:5.0

Trust: 1.0

vendor:applemodel:webkitscope:eqversion:*

Trust: 1.0

vendor:applemodel:safariscope:lteversion:4.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.4.11

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.4.11

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:safariscope:eqversion:5

Trust: 0.8

vendor:applemodel:safari for windowsscope:eqversion:4.0.5

Trust: 0.6

vendor:applemodel:safari for windowsscope:eqversion:4.0.4

Trust: 0.6

vendor:applemodel:safari for windowsscope:eqversion:4.0.3

Trust: 0.6

vendor:applemodel:safari for windowsscope:eqversion:4.0.2

Trust: 0.6

vendor:applemodel:safari for windowsscope:eqversion:5.0

Trust: 0.6

vendor:applemodel:safariscope:eqversion:5.0

Trust: 0.6

vendor:applemodel:safari for windowsscope:eqversion:4

Trust: 0.6

vendor:applemodel:safari betascope:eqversion:4

Trust: 0.6

vendor:applemodel:safariscope:neversion:5.0.1

Trust: 0.6

vendor:applemodel:safariscope:neversion:4.1.1

Trust: 0.6

vendor:applemodel:webkitscope: - version: -

Trust: 0.6

sources: BID: 42020 // BID: 41884 // JVNDB: JVNDB-2010-001846 // CNNVD: CNNVD-201007-327 // NVD: CVE-2010-1796

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1796
value: LOW

Trust: 1.0

NVD: CVE-2010-1796
value: LOW

Trust: 0.8

CNNVD: CNNVD-201007-327
value: LOW

Trust: 0.6

VULHUB: VHN-44401
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2010-1796
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-44401
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-44401 // JVNDB: JVNDB-2010-001846 // CNNVD: CNNVD-201007-327 // NVD: CVE-2010-1796

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-44401 // JVNDB: JVNDB-2010-001846 // NVD: CVE-2010-1796

THREAT TYPE

network

Trust: 0.6

sources: BID: 42020 // BID: 41884

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201007-327

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-001846

PATCH
title:HT4276url:http://support.apple.com/kb/HT4276
Trust: 0.8
title:HT4276url:http://support.apple.com/kb/HT4276?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2010-001846

EXTERNAL IDS
db:NVDid:CVE-2010-1796
Trust: 2.8
db:BIDid:42020
Trust: 2.0
db:JVNDBid:JVNDB-2010-001846
Trust: 0.8
db:CNNVDid:CNNVD-201007-327
Trust: 0.7
db:NSFOCUSid:15474
Trust: 0.6
db:APPLEid:APPLE-SA-2010-07-28-1
Trust: 0.6
db:BIDid:41884
Trust: 0.4
db:VULHUBid:VHN-44401
Trust: 0.1
sources:
            
            
            VULHUB: VHN-44401 // 
            
            
            
            BID: 42020 // 
            
            
            
            BID: 41884 // 
            
            
            
            JVNDB: JVNDB-2010-001846 // 
            
            
            
            CNNVD: CNNVD-201007-327 // 
            
            
            
            NVD: CVE-2010-1796

REFERENCES
url:http://lists.apple.com/archives/security-announce/2010//jul/msg00001.html
Trust: 1.7
url:http://www.securityfocus.com/bid/42020
Trust: 1.7
url:http://support.apple.com/kb/ht4276
Trust: 1.7
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a11112
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1796
Trust: 0.8
url:http://jvn.jp/cert/jvnvu568637
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1796
Trust: 0.8
url:http://www.apple.com/safari/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/15474
Trust: 0.6
url:http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-44401 // 
            
            
            
            BID: 42020 // 
            
            
            
            BID: 41884 // 
            
            
            
            JVNDB: JVNDB-2010-001846 // 
            
            
            
            CNNVD: CNNVD-201007-327 // 
            
            
            
            NVD: CVE-2010-1796

CREDITS
Jeremiah Grossman
Trust: 0.9
sources:
            
            
            BID: 41884 // 
            
            
            
            CNNVD: CNNVD-201007-327

SOURCES
db:VULHUBid:VHN-44401
db:BIDid:42020
db:BIDid:41884
db:JVNDBid:JVNDB-2010-001846
db:CNNVDid:CNNVD-201007-327
db:NVDid:CVE-2010-1796

LAST UPDATE DATE
2024-11-23T21:08:31.184000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-44401date:2017-09-19T00:00:00
db:BIDid:42020date:2010-07-28T20:25:00
db:BIDid:41884date:2010-07-28T16:45:00
db:JVNDBid:JVNDB-2010-001846date:2010-08-20T00:00:00
db:CNNVDid:CNNVD-201007-327date:2010-08-03T00:00:00
db:NVDid:CVE-2010-1796date:2024-11-21T01:15:13.050

SOURCES RELEASE DATE
db:VULHUBid:VHN-44401date:2010-07-30T00:00:00
db:BIDid:42020date:2010-07-28T00:00:00
db:BIDid:41884date:2010-07-22T00:00:00
db:JVNDBid:JVNDB-2010-001846date:2010-08-20T00:00:00
db:CNNVDid:CNNVD-201007-327date:2010-07-22T00:00:00
db:NVDid:CVE-2010-1796date:2010-07-30T20:30:02.333