cnvd - cnvd-2017-05616

CNVD-2017-05616

Vulnerability from cnvd - Published: 2017-04-29

Title

多款Apple产品WebKit组件跨站脚本漏洞

Description

AppleiOS、Safari和tvOS都是美国苹果（Apple）公司的产品。AppleiOS是为移动设备所开发的一套操作系统；Safari是一款Web浏览器，是MacOSX和iOS操作系统附带的默认浏览器；tvOS是一套智能电视操作系统。WebKit是KDE社区开发的一套开源Web浏览器引擎，目前被AppleSafari及GoogleChrome等浏览器使用。多款Apple产品中的WebKit组件存在跨站脚本漏洞。远程攻击者可利用该漏洞借助特制的框架对象实施跨站脚本攻击。

Severity

中

Patch Name

多款Apple产品WebKit组件跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.apple.com/zh-cn/HT207600 https://support.apple.com/zh-cn/HT207601 https://support.apple.com/zh-cn/HT207617

Reference

http://www.securityfocus.com/bid/97130 https://nvd.nist.gov/vuln/detail/CVE-2017-2445

Impacted products

Name
['Apple tvOS <10.2', 'Apple Safari <10.1', 'Apple IOS <10.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-2445"
    }
  },
  "description": "AppleiOS\u3001Safari\u548ctvOS\u90fd\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002AppleiOS\u662f\u4e3a\u79fb\u52a8\u8bbe\u5907\u6240\u5f00\u53d1\u7684\u4e00\u5957\u64cd\u4f5c\u7cfb\u7edf\uff1bSafari\u662f\u4e00\u6b3eWeb\u6d4f\u89c8\u5668\uff0c\u662fMacOSX\u548ciOS\u64cd\u4f5c\u7cfb\u7edf\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\uff1btvOS\u662f\u4e00\u5957\u667a\u80fd\u7535\u89c6\u64cd\u4f5c\u7cfb\u7edf\u3002WebKit\u662fKDE\u793e\u533a\u5f00\u53d1\u7684\u4e00\u5957\u5f00\u6e90Web\u6d4f\u89c8\u5668\u5f15\u64ce\uff0c\u76ee\u524d\u88abAppleSafari\u53caGoogleChrome\u7b49\u6d4f\u89c8\u5668\u4f7f\u7528\u3002\r\n\r\n\u591a\u6b3eApple\u4ea7\u54c1\u4e2d\u7684WebKit\u7ec4\u4ef6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u501f\u52a9\u7279\u5236\u7684\u6846\u67b6\u5bf9\u8c61\u5b9e\u65bd\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002",
  "discovererName": "lokihardt of Google Project Zero, Andr\u0026eacute; Bargull, Apple, Ivan Fratric of Google Project Zero, Natalie Silvanovich of Google Project Zero, Jeonghoon Shin, Zheng Huang and Wei Yuan of Baidu Security Lab, 0011 working with Trend Micro\u0027s Zero Day Initiat",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.apple.com/zh-cn/HT207600\r\nhttps://support.apple.com/zh-cn/HT207601\r\nhttps://support.apple.com/zh-cn/HT207617",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-05616",
  "openTime": "2017-04-29",
  "patchDescription": "AppleiOS\u3001Safari\u548ctvOS\u90fd\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002AppleiOS\u662f\u4e3a\u79fb\u52a8\u8bbe\u5907\u6240\u5f00\u53d1\u7684\u4e00\u5957\u64cd\u4f5c\u7cfb\u7edf\uff1bSafari\u662f\u4e00\u6b3eWeb\u6d4f\u89c8\u5668\uff0c\u662fMacOSX\u548ciOS\u64cd\u4f5c\u7cfb\u7edf\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\uff1btvOS\u662f\u4e00\u5957\u667a\u80fd\u7535\u89c6\u64cd\u4f5c\u7cfb\u7edf\u3002WebKit\u662fKDE\u793e\u533a\u5f00\u53d1\u7684\u4e00\u5957\u5f00\u6e90Web\u6d4f\u89c8\u5668\u5f15\u64ce\uff0c\u76ee\u524d\u88abAppleSafari\u53caGoogleChrome\u7b49\u6d4f\u89c8\u5668\u4f7f\u7528\u3002\r\n\r\n\u591a\u6b3eApple\u4ea7\u54c1\u4e2d\u7684WebKit\u7ec4\u4ef6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u501f\u52a9\u7279\u5236\u7684\u6846\u67b6\u5bf9\u8c61\u5b9e\u65bd\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eApple\u4ea7\u54c1WebKit\u7ec4\u4ef6\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apple tvOS \u003c10.2",
      "Apple Safari \u003c10.1",
      "Apple IOS \u003c10.3"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/97130\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-2445",
  "serverity": "\u4e2d",
  "submitTime": "2017-04-08",
  "title": "\u591a\u6b3eApple\u4ea7\u54c1WebKit\u7ec4\u4ef6\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2017-2445 (GCVE-0-2017-2445)

Vulnerability from cvelistv5 – Published: 2017-04-02 01:36 – Updated: 2024-08-05 13:55

Summary

An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted frame objects.

Severity ?

No CVSS data available.

CWE

Assigner

apple

References

URL

Tags

	http://www.securitytracker.com/id/1038137	vdb-entryx_refsource_SECTRACK
	https://support.apple.com/HT207601	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/97130	vdb-entryx_refsource_BID
	https://security.gentoo.org/glsa/201706-15	vendor-advisoryx_refsource_GENTOO
	https://support.apple.com/HT207600	x_refsource_CONFIRM
	https://support.apple.com/HT207617	x_refsource_CONFIRM
	https://www.exploit-db.com/exploits/41802/	exploitx_refsource_EXPLOIT-DB

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:55:05.864Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038137",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038137"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT207601"
          },
          {
            "name": "97130",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97130"
          },
          {
            "name": "GLSA-201706-15",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201706-15"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT207600"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT207617"
          },
          {
            "name": "41802",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41802/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-03-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted frame objects."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-15T09:57:01",
        "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "shortName": "apple"
      },
      "references": [
        {
          "name": "1038137",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038137"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT207601"
        },
        {
          "name": "97130",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97130"
        },
        {
          "name": "GLSA-201706-15",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201706-15"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT207600"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT207617"
        },
        {
          "name": "41802",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41802/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "product-security@apple.com",
          "ID": "CVE-2017-2445",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted frame objects."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038137",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038137"
            },
            {
              "name": "https://support.apple.com/HT207601",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT207601"
            },
            {
              "name": "97130",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97130"
            },
            {
              "name": "GLSA-201706-15",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201706-15"
            },
            {
              "name": "https://support.apple.com/HT207600",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT207600"
            },
            {
              "name": "https://support.apple.com/HT207617",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT207617"
            },
            {
              "name": "41802",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41802/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
    "assignerShortName": "apple",
    "cveId": "CVE-2017-2445",
    "datePublished": "2017-04-02T01:36:00",
    "dateReserved": "2016-12-01T00:00:00",
    "dateUpdated": "2024-08-05T13:55:05.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-05616

CVE-2017-2445 (GCVE-0-2017-2445)

Tags

Sightings

Nomenclature