Sign-up

ID

VAR-201702-0873


CVE

CVE-2017-2359


TITLE

Apple Safari of Safari Component address bar spoofing vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-001558

DESCRIPTION

An issue was discovered in certain Apple products. Safari before 10.0.3 is affected. The issue involves the "Safari" component, which allows remote attackers to spoof the address bar via a crafted web site. An attacker may exploit this vulnerability to spoof the originating URL of a trusted web site. This issue may allow a remote attacker to carry out phishing-style attacks. Versions prior to Safari 10.0.3 are vulnerable. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-01-23-5 Safari 10.0.3 Safari 10.0.3 is now available and addresses the following: Safari Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Visiting a malicious website may lead to address bar spoofing Description: A state management issue in the address bar was addressed through improved URL handling. CVE-2017-2359: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: A prototype access issue was addressed through improved exception handling. CVE-2017-2350: Gareth Heyes of Portswigger Web Security WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2354: Neymar of Tencent's Xuanwu Lab (tencent.com) working with Trend Micro's Zero Day Initiative CVE-2017-2362: Ivan Fratric of Google Project Zero CVE-2017-2373: Ivan Fratric of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory initialization issue was addressed through improved memory handling. CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016 WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016 CVE-2017-2366: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2017-2369: Ivan Fratric of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic. CVE-2017-2363: lokihardt of Google Project Zero CVE-2017-2364: lokihardt of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3 Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: A validation issue existed in variable handling. This issue was addressed through improved validation. CVE-2017-2365: lokihardt of Google Project Zero Additional recognition WebKit hardening We would like to acknowledge Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida of the vusec group at Vrije Universiteit Amsterdam for their assistance. Safari 10.0.3 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYgqLhAAoJEIOj74w0bLRG1wEP/iZzmNGmGqYEEGXg+OXEhps8 Zb0akG3DLteZYCESpdsCUZnwlfOriXUNgjZv15o6iop+gN+bDGTQVzyGZFAiGvYu KJQwPVSNW6w0yzAuCeDFeFQX2VigGcAy2N5XE7g+pZklrWmn/JjAqc+x0UX5jUID Fz9H8MmzJi8NDZ56+7jlz6fHDo/XL8jNlhfvGw/3JPN7glusqHkQhazicoB7URqy X3LxPlIcDzkBD2cKdq56CoYzkgYWjhWFzdRCamVxsDQiH34OSwBrizPxi23NJfsN j4JklMdovaXoNtEQVnuBq4SKvdKxXN4hddBrNClO92681pgqP/y2RvCAzNxvEhhg vljGGOdY1q7wrg+9dKWuVVPnqOpaUHyQKF6d+TN6zp9F+rqQvGqR7ba474gbLQkA XYPyvP/GRI3vNc1n/ytjNUY1DbjxOSgA9a7EgwndAIeMC60plBt7WpfrFzpLsgFe KIADucwXLuueAWY4B7dk3Zdfe5AucV/PVcz/EnLE5ns2j1EuU8QvjxWu6zdEka1Q gERG+at3mYST0/uqHy2dc686c7p6bwVBoPZCYYMvHW5fpwmJtJQkxm/5bBgKFHNw RqIbQnGYTgSymYA5EaVib5Mh93TvB3iwN4EK2dLdtsu9P8uCbIsfB+4q2bVMBHOn e6ebA4//C0r54SmyfMv4 =sLyp -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2017-2359 // JVNDB: JVNDB-2017-001558 // BID: 95724 // VULHUB: VHN-110562 // PACKETSTORM: 140690

AFFECTED PRODUCTS

vendor:applemodel:safariscope:lteversion:10.0.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:10.0.2

Trust: 0.9

vendor:applemodel:safariscope:ltversion:10.0.3 (macos sierra 10.12.3)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.0.3 (os x el capitan v10.11.6)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.0.3 (os x yosemite v10.10.5)

Trust: 0.8

vendor:applemodel:safariscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.8

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.8

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.0.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.8

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.10

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:9

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:8.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:7.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:6.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.34

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.33

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.31

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.31

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.30

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.28

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.52

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:10

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.5

Trust: 0.3

vendor:applemodel:safariscope:neversion:10.0.3

Trust: 0.3

sources: BID: 95724 // JVNDB: JVNDB-2017-001558 // CNNVD: CNNVD-201702-277 // NVD: CVE-2017-2359

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2359
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-2359
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201702-277
value: MEDIUM

Trust: 0.6

VULHUB: VHN-110562
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2359
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-110562
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2359
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-110562 // JVNDB: JVNDB-2017-001558 // CNNVD: CNNVD-201702-277 // NVD: CVE-2017-2359

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-254

Trust: 0.9

sources: VULHUB: VHN-110562 // JVNDB: JVNDB-2017-001558 // NVD: CVE-2017-2359

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-277

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201702-277

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-001558

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:APPLE-SA-2017-01-23-5 Safari 10.0.3url:https://lists.apple.com/archives/security-announce/2017/Jan/msg00006.html
Trust: 0.8
title:HT207484url:https://support.apple.com/en-us/HT207484
Trust: 0.8
title:HT207484url:https://support.apple.com/ja-jp/HT207484
Trust: 0.8
title:Apple Safari Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67562
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-001558 // 
            
            
            
            CNNVD: CNNVD-201702-277

EXTERNAL IDS
db:NVDid:CVE-2017-2359
Trust: 2.9
db:BIDid:95724
Trust: 2.0
db:SECTRACKid:1037669
Trust: 1.7
db:JVNid:JVNVU97915630
Trust: 0.8
db:JVNDBid:JVNDB-2017-001558
Trust: 0.8
db:CNNVDid:CNNVD-201702-277
Trust: 0.7
db:VULHUBid:VHN-110562
Trust: 0.1
db:PACKETSTORMid:140690
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110562 // 
            
            
            
            BID: 95724 // 
            
            
            
            JVNDB: JVNDB-2017-001558 // 
            
            
            
            PACKETSTORM: 140690 // 
            
            
            
            CNNVD: CNNVD-201702-277 // 
            
            
            
            NVD: CVE-2017-2359

REFERENCES
url:http://www.securityfocus.com/bid/95724
Trust: 1.7
url:https://support.apple.com/ht207484
Trust: 1.7
url:http://www.securitytracker.com/id/1037669
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2359
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97915630/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-2359
Trust: 0.8
url:http://www.apple.com/safari/download/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2362
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2363
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2354
Trust: 0.1
url:https://support.apple.com/kb/ht201222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2365
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:https://gpgtools.org
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2350
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2364
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2356
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2366
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2369
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2359
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2355
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2373
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110562 // 
            
            
            
            BID: 95724 // 
            
            
            
            JVNDB: JVNDB-2017-001558 // 
            
            
            
            PACKETSTORM: 140690 // 
            
            
            
            CNNVD: CNNVD-201702-277 // 
            
            
            
            NVD: CVE-2017-2359

CREDITS
xisigr of Tencent's Xuanwu Lab (tencent.com)
Trust: 0.9
sources:
            
            
            BID: 95724 // 
            
            
            
            CNNVD: CNNVD-201702-277

SOURCES
db:VULHUBid:VHN-110562
db:BIDid:95724
db:JVNDBid:JVNDB-2017-001558
db:PACKETSTORMid:140690
db:CNNVDid:CNNVD-201702-277
db:NVDid:CVE-2017-2359

LAST UPDATE DATE
2025-04-20T22:06:18.808000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110562date:2019-10-03T00:00:00
db:BIDid:95724date:2017-02-02T01:00:00
db:JVNDBid:JVNDB-2017-001558date:2017-02-27T00:00:00
db:CNNVDid:CNNVD-201702-277date:2019-10-23T00:00:00
db:NVDid:CVE-2017-2359date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-110562date:2017-02-20T00:00:00
db:BIDid:95724date:2017-01-23T00:00:00
db:JVNDBid:JVNDB-2017-001558date:2017-02-27T00:00:00
db:PACKETSTORMid:140690date:2017-01-24T01:03:14
db:CNNVDid:CNNVD-201702-277date:2017-01-23T00:00:00
db:NVDid:CVE-2017-2359date:2017-02-20T08:59:04.947