Sign-up

ID

VAR-201510-0095


CVE

CVE-2015-5828


TITLE

Apple Safari of WebKit Plug-in component API Vulnerability that can bypass request restrictions

Trust: 0.8

sources: JVNDB: JVNDB-2015-005133

DESCRIPTION

The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site. Apple Safari is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Apple Safari is a web browser of Apple (Apple), the default browser included with Mac OS X and iOS operating systems. WebKit Plug-ins is one of the open source web browser engine components. There is a security vulnerability in the API of the WebKit Plug-ins component of Apple Safari 8.0.8 and earlier versions. The vulnerability stems from the fact that the program does not provide notification of the HTTP Redirection status code to the plug-in

Trust: 1.98

sources: NVD: CVE-2015-5828 // JVNDB: JVNDB-2015-005133 // BID: 79707 // VULHUB: VHN-83789

AFFECTED PRODUCTS

vendor:opensusemodel:leapscope:eqversion:42.1

Trust: 1.0

vendor:applemodel:safariscope:lteversion:8.0.8

Trust: 1.0

vendor:applemodel:safariscope:ltversion:9 (os x el capitan v10.11)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:9 (os x mavericks v10.9.5)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:9 (os x yosemite v10.10.5)

Trust: 0.8

vendor:novellmodel:leapscope:eqversion:42.1

Trust: 0.6

vendor:applemodel:safariscope:eqversion:8.0.8

Trust: 0.6

vendor:applemodel:safariscope:eqversion:5.0.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3

Trust: 0.3

sources: BID: 79707 // JVNDB: JVNDB-2015-005133 // CNNVD: CNNVD-201510-084 // NVD: CVE-2015-5828

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-5828
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-5828
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-084
value: MEDIUM

Trust: 0.6

VULHUB: VHN-83789
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-5828
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-83789
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-83789 // JVNDB: JVNDB-2015-005133 // CNNVD: CNNVD-201510-084 // NVD: CVE-2015-5828

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-83789 // JVNDB: JVNDB-2015-005133 // NVD: CVE-2015-5828

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-084

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201510-084

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-005133

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:APPLE-SA-2015-09-30-2 Safari 9url:http://lists.apple.com/archives/security-announce/2015/Sep/msg00007.html
Trust: 0.8
title:HT205265url:https://support.apple.com/en-us/HT205265
Trust: 0.8
title:HT205265url:http://support.apple.com/ja-jp/HT205265
Trust: 0.8
title:Apple Safari WebKit Plug-ins Fixes for component input validation vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57937
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-005133 // 
            
            
            
            CNNVD: CNNVD-201510-084

EXTERNAL IDS
db:NVDid:CVE-2015-5828
Trust: 2.8
db:BIDid:79707
Trust: 1.4
db:SECTRACKid:1033688
Trust: 1.1
db:JVNid:JVNVU97220341
Trust: 0.8
db:JVNDBid:JVNDB-2015-005133
Trust: 0.8
db:CNNVDid:CNNVD-201510-084
Trust: 0.7
db:VULHUBid:VHN-83789
Trust: 0.1
sources:
            
            
            VULHUB: VHN-83789 // 
            
            
            
            BID: 79707 // 
            
            
            
            JVNDB: JVNDB-2015-005133 // 
            
            
            
            CNNVD: CNNVD-201510-084 // 
            
            
            
            NVD: CVE-2015-5828

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/sep/msg00007.html
Trust: 1.7
url:https://support.apple.com/ht205265
Trust: 1.7
url:http://www.securityfocus.com/bid/79707
Trust: 1.1
url:http://www.securitytracker.com/id/1033688
Trust: 1.1
url:http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5828
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97220341/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5828
Trust: 0.8
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://www.apple.com/safari/
Trust: 0.3
url:http://webkitgtk.org/security/wsa-2015-0002.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-83789 // 
            
            
            
            BID: 79707 // 
            
            
            
            JVNDB: JVNDB-2015-005133 // 
            
            
            
            CNNVD: CNNVD-201510-084 // 
            
            
            
            NVD: CVE-2015-5828

CREDITS
Lorenzo Fontana
Trust: 0.3
sources:
            
            
            BID: 79707

SOURCES
db:VULHUBid:VHN-83789
db:BIDid:79707
db:JVNDBid:JVNDB-2015-005133
db:CNNVDid:CNNVD-201510-084
db:NVDid:CVE-2015-5828

LAST UPDATE DATE
2024-11-23T19:46:02.911000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-83789date:2018-10-30T00:00:00
db:BIDid:79707date:2016-02-02T19:47:00
db:JVNDBid:JVNDB-2015-005133date:2015-10-13T00:00:00
db:CNNVDid:CNNVD-201510-084date:2015-10-10T00:00:00
db:NVDid:CVE-2015-5828date:2024-11-21T02:33:56.397

SOURCES RELEASE DATE
db:VULHUBid:VHN-83789date:2015-10-09T00:00:00
db:BIDid:79707date:2015-09-30T00:00:00
db:JVNDBid:JVNDB-2015-005133date:2015-10-13T00:00:00
db:CNNVDid:CNNVD-201510-084date:2015-10-10T00:00:00
db:NVDid:CVE-2015-5828date:2015-10-09T05:59:02.453