Sign-up

ID

VAR-201108-0003


CVE

CVE-2008-7296


TITLE

Apple of Safari Vulnerable to overwriting or deleting arbitrary cookies

Trust: 0.8

sources: JVNDB: JVNDB-2011-003794

DESCRIPTION

Apple Safari cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue. This allows attackers to bypass security features provided by secure cookies. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems

Trust: 1.98

sources: NVD: CVE-2008-7296 // JVNDB: JVNDB-2011-003794 // BID: 49136 // VULHUB: VHN-37421

AFFECTED PRODUCTS

vendor:applemodel:safariscope: - version: -

Trust: 1.4

vendor:applemodel:safariscope:eqversion:*

Trust: 1.0

vendor:applemodel:safariscope:eqversion:4.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1

Trust: 0.3

sources: BID: 49136 // JVNDB: JVNDB-2011-003794 // CNNVD: CNNVD-201108-146 // NVD: CVE-2008-7296

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-7296
value: MEDIUM

Trust: 1.0

NVD: CVE-2008-7296
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201108-146
value: MEDIUM

Trust: 0.6

VULHUB: VHN-37421
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2008-7296
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-37421
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-37421 // JVNDB: JVNDB-2011-003794 // CNNVD: CNNVD-201108-146 // NVD: CVE-2008-7296

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-37421 // JVNDB: JVNDB-2011-003794 // NVD: CVE-2008-7296

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201108-146

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201108-146

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2011-003794

PATCH
title:Safariurl:http://www.apple.com/safari/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2011-003794

EXTERNAL IDS
db:NVDid:CVE-2008-7296
Trust: 2.8
db:JVNDBid:JVNDB-2011-003794
Trust: 0.8
db:CNNVDid:CNNVD-201108-146
Trust: 0.7
db:BIDid:49136
Trust: 0.4
db:VULHUBid:VHN-37421
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37421 // 
            
            
            
            BID: 49136 // 
            
            
            
            JVNDB: JVNDB-2011-003794 // 
            
            
            
            CNNVD: CNNVD-201108-146 // 
            
            
            
            NVD: CVE-2008-7296

REFERENCES
url:http://code.google.com/p/browsersec/wiki/part2#same-origin_policy_for_cookies
Trust: 2.0
url:http://michael-coates.blogspot.com/2010/01/cookie-forcing-trust-your-cookies-no.html
Trust: 2.0
url:http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html
Trust: 2.0
url:http://scarybeastsecurity.blogspot.com/2011/02/some-less-obvious-benefits-of-hsts.html
Trust: 2.0
url:https://bugzilla.mozilla.org/show_bug.cgi?id=660053
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-7296
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-7296
Trust: 0.8
url:http://www.apple.com/safari/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-37421 // 
            
            
            
            BID: 49136 // 
            
            
            
            JVNDB: JVNDB-2011-003794 // 
            
            
            
            CNNVD: CNNVD-201108-146 // 
            
            
            
            NVD: CVE-2008-7296

CREDITS
Chris Evans
Trust: 0.3
sources:
            
            
            BID: 49136

SOURCES
db:VULHUBid:VHN-37421
db:BIDid:49136
db:JVNDBid:JVNDB-2011-003794
db:CNNVDid:CNNVD-201108-146
db:NVDid:CVE-2008-7296

LAST UPDATE DATE
2025-04-11T22:54:00.692000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-37421date:2012-08-02T00:00:00
db:BIDid:49136date:2008-11-24T00:00:00
db:JVNDBid:JVNDB-2011-003794date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201108-146date:2011-08-10T00:00:00
db:NVDid:CVE-2008-7296date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-37421date:2011-08-09T00:00:00
db:BIDid:49136date:2008-11-24T00:00:00
db:JVNDBid:JVNDB-2011-003794date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201108-146date:2011-08-10T00:00:00
db:NVDid:CVE-2008-7296date:2011-08-09T19:55:01.247