All the vulnerabilites related to Apple Inc. - iPhone
jvndb-2008-000039
Vulnerability from jvndb
Published
2008-07-16 12:27
Modified
2008-07-16 12:27
Summary
Safari installed in iPod touch and iPhone vulnerable in handling server certificates
Details
Safari web browser installed in iPod touch and iPhone contains a vulnerability which allows a self-signed or invalid server certificate to be accepted without the user's explicit concent.
Safari is a web browser provided by Apple. Safari installed in iPod touch and iPhone accepts a self-signed or invalid server cerficate without the user's explicit concent when connecting via SSL/TLS.
According to Apple, "When Safari accesses a website that uses a self-signed or invalid certificate, it prompts the user to accept or reject the certificate. If the user presses the menu button while at the prompt, then on the next visit to the site, the certificate is accepted with no prompt."
Hiromitsu Takagi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN88676089/ | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1589 | |
| NVD | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1589 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apple Inc. | iPhone | |
| Apple Inc. | iPod touch |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000039.html",
"dc:date": "2008-07-16T12:27+09:00",
"dcterms:issued": "2008-07-16T12:27+09:00",
"dcterms:modified": "2008-07-16T12:27+09:00",
"description": "Safari web browser installed in iPod touch and iPhone contains a vulnerability which allows a self-signed or invalid server certificate to be accepted without the user\u0027s explicit concent.\r\n\r\nSafari is a web browser provided by Apple. Safari installed in iPod touch and iPhone accepts a self-signed or invalid server cerficate without the user\u0027s explicit concent when connecting via SSL/TLS.\r\n\r\nAccording to Apple, \"When Safari accesses a website that uses a self-signed or invalid certificate, it prompts the user to accept or reject the certificate. If the user presses the menu button while at the prompt, then on the next visit to the site, the certificate is accepted with no prompt.\"\r\n\r\nHiromitsu Takagi reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000039.html",
"sec:cpe": [
{
"#text": "cpe:/h:apple:iphone",
"@product": "iPhone",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:apple:ipod_touch",
"@product": "iPod touch",
"@vendor": "Apple Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2008-000039",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN88676089/",
"@id": "JVN#88676089",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1589",
"@id": "CVE-2008-1589",
"@source": "CVE"
},
{
"#text": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1589",
"@id": "CVE-2008-1589",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "Safari installed in iPod touch and iPhone vulnerable in handling server certificates"
}
jvndb-2007-000560
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2008-05-21 00:00
Summary
Safari URL spoofing vulnerability
Details
Apple's Safari contains a vulnerability that allows spoofing of URLs in the address bar.
Apple's Safari is a web browser installed as default with Mac OS X.
There is a problem in Safari where URLs displayed in the address bar could be spoofed to deceive Safari users.
This could be conducted by using Unicode characters that look alike to ASCII characters as URL strings.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN16018033/index.html | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3742 | |
| NVD | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3742 | |
| BID | http://www.securityfocus.com/bid/24636 | |
| XF | http://xforce.iss.net/xforce/xfdb/35716 | |
| FRSIRT | http://www.frsirt.com/english/advisories/2007/2730 | |
| Resource Management Errors(CWE-399) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Link Following(CWE-59) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apple Inc. | Safari | |
| Apple Inc. | iPhone |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000560.html",
"dc:date": "2008-05-21T00:00+09:00",
"dcterms:issued": "2008-05-21T00:00+09:00",
"dcterms:modified": "2008-05-21T00:00+09:00",
"description": "Apple\u0027s Safari contains a vulnerability that allows spoofing of URLs in the address bar.\r\n\r\nApple\u0027s Safari is a web browser installed as default with Mac OS X.\r\n\r\nThere is a problem in Safari where URLs displayed in the address bar could be spoofed to deceive Safari users. \r\nThis could be conducted by using Unicode characters that look alike to ASCII characters as URL strings.",
"link": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000560.html",
"sec:cpe": [
{
"#text": "cpe:/a:apple:safari",
"@product": "Safari",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:apple:iphone",
"@product": "iPhone",
"@vendor": "Apple Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2007-000560",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN16018033/index.html",
"@id": "JVN#16018033",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3742",
"@id": "CVE-2007-3742",
"@source": "CVE"
},
{
"#text": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3742",
"@id": "CVE-2007-3742",
"@source": "NVD"
},
{
"#text": "http://www.securityfocus.com/bid/24636",
"@id": "24636",
"@source": "BID"
},
{
"#text": "http://xforce.iss.net/xforce/xfdb/35716",
"@id": "35716",
"@source": "XF"
},
{
"#text": "http://www.frsirt.com/english/advisories/2007/2730",
"@id": "FrSIRT/ADV-2007-2730",
"@source": "FRSIRT"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-399",
"@title": "Resource Management Errors(CWE-399)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-59",
"@title": "Link Following(CWE-59)"
}
],
"title": "Safari URL spoofing vulnerability"
}
jvndb-2010-001538
Vulnerability from jvndb
Published
2010-11-26 17:16
Modified
2010-12-10 17:48
Summary
Safari address bar spoofing vulnerability
Details
Safari contains a vulnerability where the URL displayed in the address may be spoofed.
Safari contains a vulnerability where the address bar displays a character string that looks like a different URL than the URL that is being accessed.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-001538.html",
"dc:date": "2010-12-10T17:48+09:00",
"dcterms:issued": "2010-11-26T17:16+09:00",
"dcterms:modified": "2010-12-10T17:48+09:00",
"description": "Safari contains a vulnerability where the URL displayed in the address may be spoofed.\r\n\r\nSafari contains a vulnerability where the address bar displays a character string that looks like a different URL than the URL that is being accessed.",
"link": "https://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-001538.html",
"sec:cpe": [
{
"#text": "cpe:/a:apple:safari",
"@product": "Safari",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:apple:ipad",
"@product": "iPad",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:apple:iphone",
"@product": "iPhone",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:apple:ipod_touch",
"@product": "iPod touch",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:apple:iphone_os",
"@product": "iOS",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:apple:iphone_os_for_ipod_touch",
"@product": "iOS for iPod touch",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:apple:mac_os_x",
"@product": "Apple Mac OS X",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:apple:mac_os_x_server",
"@product": "Apple Mac OS X Server",
"@vendor": "Apple Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2010-001538",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN46026251/index.html",
"@id": "JVN#46026251",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1384",
"@id": "CVE-2010-1384",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1384",
"@id": "CVE-2010-1384",
"@source": "NVD"
},
{
"#text": "http://secunia.com/advisories/40105",
"@id": "SA40105",
"@source": "SECUNIA"
},
{
"#text": "http://securitytracker.com/id?1024067",
"@id": "1024067",
"@source": "SECTRACK"
},
{
"#text": "http://www.vupen.com/english/advisories/2010/1373",
"@id": "VUPEN/ADV-2010-1373",
"@source": "VUPEN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Safari address bar spoofing vulnerability"
}
jvndb-2007-000727
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2008-05-21 00:00
Summary
Safari allows access from HTTP to HTTPS
Details
Apple Safari contains a vulnerability that allows a remote attacker to access HTTPS content via an HTTP session.
Safari is a default web browser installed in Mac OS X and iPhone.
Safari contains a vulnerability that allows a remote attacker to access web page contents protected by SSL/TLS from an HTTP page in the same domain.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apple Inc. | Safari | |
| Apple Inc. | iPhone | |
| Apple Inc. | Apple Mac OS X |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000727.html",
"dc:date": "2008-05-21T00:00+09:00",
"dcterms:issued": "2008-05-21T00:00+09:00",
"dcterms:modified": "2008-05-21T00:00+09:00",
"description": "Apple Safari contains a vulnerability that allows a remote attacker to access HTTPS content via an HTTP session.\r\n\r\nSafari is a default web browser installed in Mac OS X and iPhone.\r\nSafari contains a vulnerability that allows a remote attacker to access web page contents protected by SSL/TLS from an HTTP page in the same domain.",
"link": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000727.html",
"sec:cpe": [
{
"#text": "cpe:/a:apple:safari",
"@product": "Safari",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:apple:iphone",
"@product": "iPhone",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:apple:mac_os_x",
"@product": "Apple Mac OS X",
"@vendor": "Apple Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2007-000727",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN79013771/",
"@id": "JVN#79013771",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4671",
"@id": "CVE-2007-4671",
"@source": "CVE"
},
{
"#text": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4671",
"@id": "CVE-2007-4671",
"@source": "NVD"
},
{
"#text": "http://secunia.com/advisories/26983",
"@id": "SA26983",
"@source": "SECUNIA"
},
{
"#text": "http://www.securityfocus.com/bid/25852",
"@id": "25852",
"@source": "BID"
},
{
"#text": "http://xforce.iss.net/xforce/xfdb/36862",
"@id": "36862",
"@source": "XF"
},
{
"#text": "http://securitytracker.com/id?1018752",
"@id": "1018752",
"@source": "SECTRACK"
},
{
"#text": "http://www.frsirt.com/english/advisories/2007/3287",
"@id": "FrSIRT/ADV-2007-3287",
"@source": "FRSIRT"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "Safari allows access from HTTP to HTTPS"
}