Details of VAR-201804-0450

ID

VAR-201804-0450

CVE

CVE-2017-2493

TITLE

plural Apple Used in products WebKit Vulnerabilities that bypass the same origin policy in components

Trust: 0.8

sources: JVNDB: JVNDB-2017-013137

DESCRIPTION

An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted elements on a web site. WebKit is prone to an same-origin policy security-bypass vulnerability. Apple iOS, Safari, iCloud for Windows and tvOS are all products of Apple Inc. in the United States. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A security vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple iOS prior to 10.3; Safari prior to 10.1; Windows-based iCloud prior to 6.2; tvOS prior to 10.2

Trust: 2.07

sources: NVD: CVE-2017-2493 // JVNDB: JVNDB-2017-013137 // BID: 98700 // VULHUB: VHN-110696 // VULMON: CVE-2017-2493

AFFECTED PRODUCTS

vendor:	apple	model:	tvos	scope:	lt	version:	10.2	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	10.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	lt	version:	10.1	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	6.2	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	6.2 (windows 7 or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	10.3 (ipad first 4 after generation )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	10.3 (iphone 5 or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	10.3 (ipod touch first 6 after generation )	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	10.1 (macos sierra 10.12.4)	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	10.1 (os x el capitan 10.11.6)	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	10.1 (os x yosemite 10.10.5)	Trust: 0.8
vendor:	apple	model:	tvos	scope:	lt	version:	10.2 (apple tv first 4 generation )	Trust: 0.8
vendor:	apple	model:	safari	scope:	eq	version:	3.0	Trust: 0.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.0	Trust: 0.6
vendor:	apple	model:	safari	scope:	eq	version:	3	Trust: 0.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.1	Trust: 0.6
vendor:	apple	model:	safari	scope:	eq	version:	2.0.4	Trust: 0.6
vendor:	apple	model:	safari	scope:	eq	version:	1.3.0	Trust: 0.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.0b	Trust: 0.6
vendor:	apple	model:	tvos	scope:	eq	version:	10.1.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.2.2	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.2.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.1.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.2	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.0	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	safari	scope:	eq	version:	10.0.3	Trust: 0.3
vendor:	apple	model:	tvos	scope:	ne	version:	10.2	Trust: 0.3
vendor:	apple	model:	safari	scope:	ne	version:	10.1	Trust: 0.3

sources: BID: 98700 // JVNDB: JVNDB-2017-013137 // CNNVD: CNNVD-201804-210 // NVD: CVE-2017-2493

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2493
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-2493
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201804-210
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-110696
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-2493
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-2493
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-110696
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-2493
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-110696 // VULMON: CVE-2017-2493 // JVNDB: JVNDB-2017-013137 // CNNVD: CNNVD-201804-210 // NVD: CVE-2017-2493

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-110696 // JVNDB: JVNDB-2017-013137 // NVD: CVE-2017-2493

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-210

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201804-210

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-013137

PATCH

title:	HT207617	url:	https://support.apple.com/en-us/HT207617	Trust: 0.8
title:	HT207600	url:	https://support.apple.com/en-us/HT207600	Trust: 0.8
title:	HT207601	url:	https://support.apple.com/en-us/HT207601	Trust: 0.8
title:	HT207607	url:	https://support.apple.com/en-us/HT207607	Trust: 0.8
title:	HT207600	url:	https://support.apple.com/ja-jp/HT207600	Trust: 0.8
title:	HT207601	url:	https://support.apple.com/ja-jp/HT207601	Trust: 0.8
title:	HT207607	url:	https://support.apple.com/ja-jp/HT207607	Trust: 0.8
title:	HT207617	url:	https://support.apple.com/ja-jp/HT207617	Trust: 0.8
title:	Multiple Apple product WebKit Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83062	Trust: 0.6
title:	Apple: iCloud for Windows 6.2	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=ec0dbe9c3dba8c45d36ab3d8d8948ccf	Trust: 0.1
title:	Apple: iTunes 12.6 for Windows	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=a2320462745411a5547ed48fe868a9a6	Trust: 0.1
title:	Apple: Safari 10.1	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=5c4ba20f7a3a0bac6dc3db074ec0daa4	Trust: 0.1
title:	Apple: tvOS 10.2	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=96152d4695ab80cff7cf110b4458ab10	Trust: 0.1
title:	Apple: iOS 10.3	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=e3eec66a6152b7f2dac0fe21bb8ee9cd	Trust: 0.1
title:	tensorflow	url:	https://github.com/elmasryelec/tensorflow	Trust: 0.1
title:	uxss-db	url:	https://github.com/Metnew/uxss-db	Trust: 0.1
title:	uxss-db	url:	https://github.com/0xR0/uxss-db	Trust: 0.1
title:	Exp101tsArchiv30thers	url:	https://github.com/nu11secur1ty/Exp101tsArchiv30thers	Trust: 0.1
title:	awesome-cve-poc_qazbnm456	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1

sources: VULMON: CVE-2017-2493 // JVNDB: JVNDB-2017-013137 // CNNVD: CNNVD-201804-210

EXTERNAL IDS

db:	NVD	id:	CVE-2017-2493	Trust: 2.9
db:	JVNDB	id:	JVNDB-2017-013137	Trust: 0.8
db:	CNNVD	id:	CNNVD-201804-210	Trust: 0.7
db:	BID	id:	98700	Trust: 0.5
db:	PACKETSTORM	id:	142660	Trust: 0.2
db:	SEEBUG	id:	SSVID-93150	Trust: 0.1
db:	VULHUB	id:	VHN-110696	Trust: 0.1
db:	VULMON	id:	CVE-2017-2493	Trust: 0.1

sources: VULHUB: VHN-110696 // VULMON: CVE-2017-2493 // BID: 98700 // JVNDB: JVNDB-2017-013137 // CNNVD: CNNVD-201804-210 // NVD: CVE-2017-2493

REFERENCES

url:	https://support.apple.com/ht207600	Trust: 1.8
url:	https://support.apple.com/ht207601	Trust: 1.8
url:	https://support.apple.com/ht207607	Trust: 1.8
url:	https://support.apple.com/ht207617	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2493	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2493	Trust: 0.8
url:	https://support.apple.com/en-in/ht207601	Trust: 0.3
url:	https://www.apple.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://www.securityfocus.com/bid/98700	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://packetstormsecurity.com/files/142660/webkit-htmlobjectelement-updatewidget-universal-xss.html	Trust: 0.1
url:	https://github.com/metnew/uxss-db	Trust: 0.1
url:	https://support.apple.com/kb/ht207607	Trust: 0.1

sources: VULHUB: VHN-110696 // VULMON: CVE-2017-2493 // BID: 98700 // JVNDB: JVNDB-2017-013137 // CNNVD: CNNVD-201804-210 // NVD: CVE-2017-2493

CREDITS

lokihardt of Google Project Zero

Trust: 0.3

sources: BID: 98700

SOURCES

db:	VULHUB	id:	VHN-110696
db:	VULMON	id:	CVE-2017-2493
db:	BID	id:	98700
db:	JVNDB	id:	JVNDB-2017-013137
db:	CNNVD	id:	CNNVD-201804-210
db:	NVD	id:	CVE-2017-2493

LAST UPDATE DATE

2024-11-23T22:34:18.392000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-110696	date:	2019-03-08T00:00:00
db:	VULMON	id:	CVE-2017-2493	date:	2019-03-08T00:00:00
db:	BID	id:	98700	date:	2017-04-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-013137	date:	2018-06-01T00:00:00
db:	CNNVD	id:	CNNVD-201804-210	date:	2019-03-13T00:00:00
db:	NVD	id:	CVE-2017-2493	date:	2024-11-21T03:23:38.290

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-110696	date:	2018-04-03T00:00:00
db:	VULMON	id:	CVE-2017-2493	date:	2018-04-03T00:00:00
db:	BID	id:	98700	date:	2017-04-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-013137	date:	2018-06-01T00:00:00
db:	CNNVD	id:	CNNVD-201804-210	date:	2018-04-04T00:00:00
db:	NVD	id:	CVE-2017-2493	date:	2018-04-03T06:29:01.343