Details of VAR-200906-0438

ID

VAR-200906-0438

CVE

CVE-2009-2072

TITLE

Apple Safari In any https Vulnerability to spoof a site

Trust: 0.8

sources: JVNDB: JVNDB-2009-003504

DESCRIPTION

Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent through a proxy server. Multiple browsers are prone to a vulnerability that may allow attackers to spoof arbitrary HTTPS sites. Attackers may exploit this vulnerability via a malicious webpage to spoof the origin of an HTTPS site. Successful exploits will lead to a false sensitive security since the victim is visiting a site that is assumed to be legitimate

Trust: 1.98

sources: NVD: CVE-2009-2072 // JVNDB: JVNDB-2009-003504 // BID: 35411 // VULHUB: VHN-39518

AFFECTED PRODUCTS

vendor:	apple	model:	safari	scope:	eq	version:	3	Trust: 1.9
vendor:	apple	model:	safari	scope:	eq	version:	3.0.3	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.1b	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.0	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.2	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.2b	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.1	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	2.0_pre	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.0.0b	Trust: 1.6
vendor:	apple	model:	safari	scope:	eq	version:	3.1.2	Trust: 1.3
vendor:	apple	model:	safari	scope:	eq	version:	3.1.1	Trust: 1.3
vendor:	apple	model:	safari	scope:	eq	version:	3.2	Trust: 1.3
vendor:	apple	model:	safari	scope:	eq	version:	3.1	Trust: 1.3
vendor:	apple	model:	safari	scope:	eq	version:	1.1.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	0.9	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.0.4b	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0.0b1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.3.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0.0b2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.0.4	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.0.3b	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.3.2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.4	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2.4	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.3.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	lte	version:	3.2.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.4_419.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0.2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2.5	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.1.0b	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.2.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.0.4_beta	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2.2	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.3_417.9.3	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	2.0.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.2.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.0.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	0.8	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	1.1.1	Trust: 1.0
vendor:	apple	model:	safari	scope:	eq	version:	3.1.0	Trust: 1.0
vendor:	apple	model:	safari	scope:	-	version:	-	Trust: 0.8
vendor:	suse	model:	opensuse	scope:	eq	version:	10.3	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	11.1	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	11.0	Trust: 0.3
vendor:	microsoft	model:	internet explorer rc1	scope:	eq	version:	8	Trust: 0.3
vendor:	microsoft	model:	internet explorer beta	scope:	eq	version:	82	Trust: 0.3
vendor:	microsoft	model:	internet explorer beta	scope:	eq	version:	81	Trust: 0.3
vendor:	microsoft	model:	internet explorer beta3	scope:	eq	version:	7.0	Trust: 0.3
vendor:	microsoft	model:	internet explorer beta2	scope:	eq	version:	7.0	Trust: 0.3
vendor:	microsoft	model:	internet explorer beta1	scope:	eq	version:	7.0	Trust: 0.3
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	7.0	Trust: 0.3
vendor:	microsoft	model:	internet explorer sp1	scope:	eq	version:	6.0	Trust: 0.3
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	6.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake x86 64	scope:	eq	version:	2009.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	2009.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake x86 64	scope:	eq	version:	2009.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	2009.0	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	0.3.1549	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	0.2.149.30	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	0.2.149.29	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	0.2.149.27	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	1.0.154.48	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	1.0.154.46	Trust: 0.3
vendor:	google	model:	chrome	scope:	eq	version:	1.0.154.36	Trust: 0.3
vendor:	apple	model:	safari for windows	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	apple	model:	safari for windows	scope:	eq	version:	3.1.1	Trust: 0.3
vendor:	apple	model:	safari beta for windows	scope:	eq	version:	3.0.4	Trust: 0.3
vendor:	apple	model:	safari beta for windows	scope:	eq	version:	3.0.3	Trust: 0.3
vendor:	apple	model:	safari beta	scope:	eq	version:	3.0.3	Trust: 0.3
vendor:	apple	model:	safari beta for windows	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	apple	model:	safari beta	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	apple	model:	safari beta for windows	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	apple	model:	safari beta	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	apple	model:	safari for windows	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	safari beta for windows	scope:	eq	version:	3	Trust: 0.3
vendor:	apple	model:	safari beta	scope:	eq	version:	3	Trust: 0.3
vendor:	microsoft	model:	internet explorer	scope:	ne	version:	8	Trust: 0.3
vendor:	google	model:	chrome	scope:	ne	version:	1.0.154.53	Trust: 0.3
vendor:	apple	model:	safari for windows	scope:	ne	version:	3.2.3	Trust: 0.3
vendor:	apple	model:	safari	scope:	ne	version:	3.2.3	Trust: 0.3

sources: BID: 35411 // JVNDB: JVNDB-2009-003504 // CNNVD: CNNVD-200906-263 // NVD: CVE-2009-2072

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-2072
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-2072
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200906-263
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-39518
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-2072
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-39518
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-39518 // JVNDB: JVNDB-2009-003504 // CNNVD: CNNVD-200906-263 // NVD: CVE-2009-2072

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-39518 // JVNDB: JVNDB-2009-003504 // NVD: CVE-2009-2072

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-200906-263

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-200906-263

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-003504

PATCH

title:

Top Page

url:

http://www.apple.com/safari/

Trust: 0.8

sources: JVNDB: JVNDB-2009-003504

EXTERNAL IDS

db:	NVD	id:	CVE-2009-2072	Trust: 2.8
db:	BID	id:	35411	Trust: 2.0
db:	JVNDB	id:	JVNDB-2009-003504	Trust: 0.8
db:	CNNVD	id:	CNNVD-200906-263	Trust: 0.6
db:	VULHUB	id:	VHN-39518	Trust: 0.1

sources: VULHUB: VHN-39518 // BID: 35411 // JVNDB: JVNDB-2009-003504 // CNNVD: CNNVD-200906-263 // NVD: CVE-2009-2072

REFERENCES

url:	http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf	Trust: 2.0
url:	http://www.securityfocus.com/bid/35411	Trust: 1.7
url:	http://research.microsoft.com/apps/pubs/default.aspx?id=79323	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2072	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2072	Trust: 0.8
url:	http://www.apple.com	Trust: 0.3
url:	http://www.google.com/chrome	Trust: 0.3
url:	http://www.microsoft.com	Trust: 0.3

sources: VULHUB: VHN-39518 // BID: 35411 // JVNDB: JVNDB-2009-003504 // CNNVD: CNNVD-200906-263 // NVD: CVE-2009-2072

CREDITS

Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang

Trust: 0.9

sources: BID: 35411 // CNNVD: CNNVD-200906-263

SOURCES

db:	VULHUB	id:	VHN-39518
db:	BID	id:	35411
db:	JVNDB	id:	JVNDB-2009-003504
db:	CNNVD	id:	CNNVD-200906-263
db:	NVD	id:	CVE-2009-2072

LAST UPDATE DATE

2025-04-10T19:42:44.457000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-39518	date:	2009-06-23T00:00:00
db:	BID	id:	35411	date:	2015-03-19T09:36:00
db:	JVNDB	id:	JVNDB-2009-003504	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200906-263	date:	2009-06-23T00:00:00
db:	NVD	id:	CVE-2009-2072	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-39518	date:	2009-06-15T00:00:00
db:	BID	id:	35411	date:	2009-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2009-003504	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200906-263	date:	2009-06-15T00:00:00
db:	NVD	id:	CVE-2009-2072	date:	2009-06-15T19:30:05.767