Details of VAR-201704-0809

ID

VAR-201704-0809

CVE

CVE-2017-2486

TITLE

Apple iOS Used in etc. Webkit Vulnerable to address bar spoofing

Trust: 0.8

sources: JVNDB: JVNDB-2017-002339

DESCRIPTION

An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar via a crafted web site. Apple macOS/iOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in the WebKit component of Apple iOS versions prior to 10.3 and Safari versions prior to 10.1

Trust: 1.98

sources: NVD: CVE-2017-2486 // JVNDB: JVNDB-2017-002339 // BID: 97147 // VULHUB: VHN-110689

AFFECTED PRODUCTS

vendor:	apple	model:	iphone os	scope:	lte	version:	10.2.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	lte	version:	10.0.3	Trust: 1.0
vendor:	apple	model:	ios	scope:	lt	version:	10.3 (ipad first 4 after generation )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	10.3 (iphone 5 or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	10.3 (ipod touch first 6 after generation )	Trust: 0.8
vendor:	apple	model:	safari	scope:	eq	version:	10.0.3	Trust: 0.6
vendor:	apple	model:	iphone os	scope:	eq	version:	10.2.1	Trust: 0.6
vendor:	webkit	model:	open source project webkit	scope:	eq	version:	0	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	16.10	Trust: 0.3
vendor:	ubuntu	model:	linux lts	scope:	eq	version:	16.04	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.3	Trust: 0.3
vendor:	apple	model:	ipod touch	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ipad	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	50	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	40	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	30	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.4.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.1.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.9	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.8	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.10	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10	Trust: 0.3
vendor:	apple	model:	security update yosemite	scope:	ne	version:	2017-0010	Trust: 0.3
vendor:	apple	model:	security update el capitan	scope:	ne	version:	2017-0010	Trust: 0.3
vendor:	apple	model:	macos	scope:	ne	version:	10.12.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	ne	version:	10.3	Trust: 0.3

sources: BID: 97147 // JVNDB: JVNDB-2017-002339 // CNNVD: CNNVD-201703-1265 // NVD: CVE-2017-2486

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2486
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-2486
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201703-1265
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-110689
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-2486
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-110689
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-2486
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-110689 // JVNDB: JVNDB-2017-002339 // CNNVD: CNNVD-201703-1265 // NVD: CVE-2017-2486

PROBLEMTYPE DATA

problemtype:	CWE-425	Trust: 1.1
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-110689 // JVNDB: JVNDB-2017-002339 // NVD: CVE-2017-2486

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1265

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201703-1265

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002339

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	HT207617	url:	https://support.apple.com/en-us/HT207617	Trust: 0.8
title:	HT207617	url:	https://support.apple.com/ja-jp/HT207617	Trust: 0.8
title:	Apple macOS Sierra and iOS WebKit Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68817	Trust: 0.6

sources: JVNDB: JVNDB-2017-002339 // CNNVD: CNNVD-201703-1265

EXTERNAL IDS

db:	NVD	id:	CVE-2017-2486	Trust: 2.8
db:	BID	id:	97147	Trust: 2.0
db:	SECTRACK	id:	1038138	Trust: 1.7
db:	JVN	id:	JVNVU90482935	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-002339	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-1265	Trust: 0.6
db:	VULHUB	id:	VHN-110689	Trust: 0.1

sources: VULHUB: VHN-110689 // BID: 97147 // JVNDB: JVNDB-2017-002339 // CNNVD: CNNVD-201703-1265 // NVD: CVE-2017-2486

REFERENCES

url:	http://www.securityfocus.com/bid/97147	Trust: 1.7
url:	https://support.apple.com/ht207600	Trust: 1.7
url:	https://support.apple.com/ht207617	Trust: 1.7
url:	http://www.securitytracker.com/id/1038138	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2486	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu90482935/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2486	Trust: 0.8
url:	https://www.apple.com/	Trust: 0.3
url:	http://www.apple.com/ios/	Trust: 0.3
url:	http://www.apple.com/macosx/	Trust: 0.3

sources: VULHUB: VHN-110689 // BID: 97147 // JVNDB: JVNDB-2017-002339 // CNNVD: CNNVD-201703-1265 // NVD: CVE-2017-2486

CREDITS

lokihardt of Google Project Zero, Lufeng Li of Qihoo 360 Vulcan Team, anonymous researcher.,redrain of light4freedom

Trust: 0.6

sources: CNNVD: CNNVD-201703-1265

SOURCES

db:	VULHUB	id:	VHN-110689
db:	BID	id:	97147
db:	JVNDB	id:	JVNDB-2017-002339
db:	CNNVD	id:	CNNVD-201703-1265
db:	NVD	id:	CVE-2017-2486

LAST UPDATE DATE

2024-11-23T21:25:44.615000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-110689	date:	2019-10-03T00:00:00
db:	BID	id:	97147	date:	2017-06-08T08:02:00
db:	JVNDB	id:	JVNDB-2017-002339	date:	2017-04-12T00:00:00
db:	CNNVD	id:	CNNVD-201703-1265	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-2486	date:	2024-11-21T03:23:37.440

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-110689	date:	2017-04-02T00:00:00
db:	BID	id:	97147	date:	2017-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2017-002339	date:	2017-04-12T00:00:00
db:	CNNVD	id:	CNNVD-201703-1265	date:	2017-03-31T00:00:00
db:	NVD	id:	CVE-2017-2486	date:	2017-04-02T01:59:03.967