CVE-2021-33595 (GCVE-0-2021-33595)

Vulnerability from cvelistv5 – Published: 2021-08-11 10:28 – Updated: 2024-08-03 23:50
VLAI?
Summary
A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack.
Severity ?
3.5 (Low)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE
  • F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing
Assigner
References
Impacted products
Vendor Product Version
F-Secure F-Secure Mobile Security Affected: 18.4x , < 18.3x* (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:50:43.177Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "iOS"
          ],
          "product": "F-Secure Mobile Security",
          "vendor": "F-Secure",
          "versions": [
            {
              "lessThan": "18.3x*",
              "status": "affected",
              "version": "18.4x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-11T10:28:27",
        "orgId": "126858f1-1b65-4b74-81ca-7034f7f7723f",
        "shortName": "F-SecureUS"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to version 18.4.x or newer from the App Store "
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-notifications-us@f-secure.com",
          "ID": "CVE-2021-33595",
          "STATE": "PUBLIC",
          "TITLE": "F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "F-Secure Mobile Security",
                      "version": {
                        "version_data": [
                          {
                            "platform": "iOS",
                            "version_affected": "\u003e",
                            "version_name": "18.3x",
                            "version_value": "18.4x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "F-Secure"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame",
              "refsource": "MISC",
              "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
            },
            {
              "name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories",
              "refsource": "MISC",
              "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"
            },
            {
              "name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595",
              "refsource": "MISC",
              "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade to version 18.4.x or newer from the App Store "
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "126858f1-1b65-4b74-81ca-7034f7f7723f",
    "assignerShortName": "F-SecureUS",
    "cveId": "CVE-2021-33595",
    "datePublished": "2021-08-11T10:28:27",
    "dateReserved": "2021-05-27T00:00:00",
    "dateUpdated": "2024-08-03T23:50:43.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f-secure:safe:*:*:*:*:*:iphone_os:*:*\", \"versionEndExcluding\": \"18.4.272901\", \"matchCriteriaId\": \"0D793BD2-1CBF-492B-823B-F8CB0FF45476\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack.\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado una vulnerabilidad de suplantaci\\u00f3n de la barra de direcciones en Safe Browser para iOS. Se muestra la URL leg\\u00edtima en la barra de direcciones mientras se carga el contenido de otro dominio. Esto hace creer al usuario que el contenido es servido por un dominio leg\\u00edtimo. Un atacante remoto puede aprovechar esto para llevar a cabo un ataque de falsificaci\\u00f3n de la barra de direcciones\"}]",
      "id": "CVE-2021-33595",
      "lastModified": "2024-11-21T06:09:09.977",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve-notifications-us@f-secure.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-08-11T11:15:09.203",
      "references": "[{\"url\": \"https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame\", \"source\": \"cve-notifications-us@f-secure.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.f-secure.com/en/business/support-and-downloads/security-advisories\", \"source\": \"cve-notifications-us@f-secure.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595\", \"source\": \"cve-notifications-us@f-secure.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.f-secure.com/en/business/support-and-downloads/security-advisories\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve-notifications-us@f-secure.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-33595\",\"sourceIdentifier\":\"cve-notifications-us@f-secure.com\",\"published\":\"2021-08-11T11:15:09.203\",\"lastModified\":\"2024-11-21T06:09:09.977\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado una vulnerabilidad de suplantaci\u00f3n de la barra de direcciones en Safe Browser para iOS. Se muestra la URL leg\u00edtima en la barra de direcciones mientras se carga el contenido de otro dominio. Esto hace creer al usuario que el contenido es servido por un dominio leg\u00edtimo. Un atacante remoto puede aprovechar esto para llevar a cabo un ataque de falsificaci\u00f3n de la barra de direcciones\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-notifications-us@f-secure.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f-secure:safe:*:*:*:*:*:iphone_os:*:*\",\"versionEndExcluding\":\"18.4.272901\",\"matchCriteriaId\":\"0D793BD2-1CBF-492B-823B-F8CB0FF45476\"}]}]}],\"references\":[{\"url\":\"https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame\",\"source\":\"cve-notifications-us@f-secure.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.f-secure.com/en/business/support-and-downloads/security-advisories\",\"source\":\"cve-notifications-us@f-secure.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595\",\"source\":\"cve-notifications-us@f-secure.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.f-secure.com/en/business/support-and-downloads/security-advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33595\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.