Sign-up

ID

VAR-201705-3381


CVE

CVE-2017-2499


TITLE

plural Apple Used in products WebKit Web Inspector component vulnerable to arbitrary unsigned code execution

Trust: 0.8

sources: JVNDB: JVNDB-2017-003819

DESCRIPTION

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit Web Inspector" component. It allows attackers to execute arbitrary unsigned code or cause a denial of service (memory corruption) via a crafted app. Apple iOS , Safari ,and tvOS Used in etc. Webkit is prone to cross-site scripting and arbitrary-code execution vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials or execute arbitrary code within the context of the vulnerable application. in the United States. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. tvOS is a smart TV operating system. The following products and versions are affected: Apple iOS prior to 10.3.2; Safari prior to 10.1.1; tvOS prior to 10.2.1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-05-15-2 iOS 10.3.2 iOS 10.3.2 is now available and addresses the following: AVEVideoEncoder Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CoreAudio Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team iBooks Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: A maliciously crafted book may open arbitrary websites without user permission Description: A URL handling issue was addressed through improved state management. CVE-2017-2497: Jun Kokatsu (@shhnjk) iBooks Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with root privileges Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization. CVE-2017-6981: evi1m0 of YSRC (sec.ly.com) IOSurface Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6979: Adam Donenfeld of Zimperium zLabs Kernel Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed through improved locking. CVE-2017-2501: Ian Beer of Google Project Zero Kernel Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2507: Ian Beer of Google Project Zero CVE-2017-6987: Patrick Wardle of Synack Notifications Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to cause a denial of service Description: A denial of service issue was addressed through improved memory handling. CVE-2017-6982: Vincent Desmurs (vincedes3), Sem Voigtlander (OxFEEDFACE), and Joseph Shenton of CoffeeBreakers Safari Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Visiting a maliciously crafted webpage may lead to an application denial of service Description: An issue in Safari's history menu was addressed through improved memory handling. CVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc. Security Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Update to the certificate trust policy Description: A certificate validation issue existed in the handling of untrusted certificates. This issue was addressed through improved user handling of trust acceptance. CVE-2017-2498: Andrew Jerman SQLite Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A use after free issue was addressed through improved memory management. CVE-2017-2513: found by OSS-Fuzz SQLite Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-2518: found by OSS-Fuzz CVE-2017-2520: found by OSS-Fuzz SQLite Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2519: found by OSS-Fuzz SQLite Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative TextInput Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Parsing maliciously crafted data may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2524: Ian Beer of Google Project Zero WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-2496: Apple CVE-2017-2505: lokihardt of Google Project Zero CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Microas Zero Day Initiative CVE-2017-2514: lokihardt of Google Project Zero CVE-2017-2515: lokihardt of Google Project Zero CVE-2017-2521: lokihardt of Google Project Zero CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab ( tencent.com) working with Trend Microas Zero Day Initiative CVE-2017-2526: Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab (tencent.com) working with Trend Microas Zero Day Initiative CVE-2017-2530: Wei Yuan of Baidu Security Lab CVE-2017-2531: lokihardt of Google Project Zero CVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative CVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative CVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative CVE-2017-2547: lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro's Zero Day Initiative CVE-2017-6980: lokihardt of Google Project Zero CVE-2017-6984: lokihardt of Google Project Zero WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management. CVE-2017-2504: lokihardt of Google Project Zero WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management. CVE-2017-2508: lokihardt of Google Project Zero WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management. CVE-2017-2510: lokihardt of Google Project Zero WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management. CVE-2017-2528: lokihardt of Google Project Zero WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues with addressed through improved memory handling. CVE-2017-2536: Samuel GroA and Niklas Baumstark working with Trend Micro's Zero Day Initiative WebKit Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in frame loading. This issue was addressed with improved state management. CVE-2017-2499: George Dan (@theninjaprawn) Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "10.3.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIbBAEBCgAGBQJZGd7rAAoJEIOj74w0bLRGS4kP+Lc6slIXsaBr4WUGGX9bn0ej klXxesL3SNerIMYNK3HUnw/8bM3uhsxKcb8I1OC0lFw3xqtxCs2Mt7qDWOvZ8yvy 7eg55Pbx/YVQUV3fSCTRYsGclHFAVNvw7NxgXJEh27Jb+3pLleLzOlepMwhgstxy REEhMVZrjkzQNEXU14r+o7YePowIezfs9pPBYyT/jQk3z5DH/kxIe9J8nP/4yHU3 1Ygvm/VwgXjdMVzR60WY72D/jahVePFK0gjR0omOsYc7KslOirkJ18arf7MI3iC5 yOVs6zvh17nPvQXJr5rbZivMfD5RWB+iTAFtdlT9vReEDgSjizxn/kiwWWeujOzB ORZmk+BZ0NzSR07sMrINeWmqAhgxKT3D7eCslU/BcRtLoIEsFvje+HgUk7gxoA0U xirgc0nKaB2eNrUxw7GFtV0pWq5fNwdZ2HWQvBL9e73up+XDi9TE/xylUzTGx50b SJl/N491dvIE8BmDUTRlkkTE44SQcATppE76CoLj8y/ncva/Os5KgybZt0Hq0zAV HA8yprCh35iTtqn3D4KyN85XJaLBuYn8nAmF0VQ6ixSekmc6e9RY1vqG7yFXTTkb P9TPLHpbuPGeRenvm/WezkJCQJsUQ64UwT07evtXJfHLuWGCfF4pLIkvfSiVaI8G ucaPHZqagilOIk1zNYk= =26IY -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2017-2499 // JVNDB: JVNDB-2017-003819 // BID: 98473 // VULHUB: VHN-110702 // PACKETSTORM: 142507 // PACKETSTORM: 142509 // PACKETSTORM: 142513

AFFECTED PRODUCTS

vendor:applemodel:tvosscope:ltversion:10.2.1

Trust: 1.0

vendor:applemodel:safariscope:ltversion:10.1.1

Trust: 1.0

vendor:applemodel:iphone osscope:ltversion:10.3.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:10.1

Trust: 0.9

vendor:applemodel:iosscope:ltversion:10.3.2 (ipad first 4 generation or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:10.3.2 (iphone 5 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:10.3.2 (ipod touch first 6 generation )

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.1.1 (macos sierra 10.12.5)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.1.1 (os x el capitan 10.11.6)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.1.1 (os x yosemite 10.10.5)

Trust: 0.8

vendor:applemodel:tvosscope:ltversion:10.2.1 (apple tv ( first 4 generation ))

Trust: 0.8

vendor:applemodel:tvscope:eqversion:10.2

Trust: 0.6

vendor:applemodel:iphone osscope:eqversion:10.3.1

Trust: 0.6

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.1.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.2.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.1.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.0

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10

Trust: 0.3

vendor:applemodel:safariscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.6

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:10.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:10.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:10

Trust: 0.3

vendor:applemodel:iosscope:eqversion:50

Trust: 0.3

vendor:applemodel:iosscope:eqversion:40

Trust: 0.3

vendor:applemodel:iosscope:eqversion:30

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.1.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.8

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.7

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.10

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:2.0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10

Trust: 0.3

vendor:applemodel:tvosscope:neversion:10.2.1

Trust: 0.3

vendor:applemodel:safariscope:neversion:10.1.1

Trust: 0.3

vendor:applemodel:iosscope:neversion:10.3.2

Trust: 0.3

sources: BID: 98473 // JVNDB: JVNDB-2017-003819 // CNNVD: CNNVD-201705-1021 // NVD: CVE-2017-2499

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2499
value: HIGH

Trust: 1.0

NVD: CVE-2017-2499
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201705-1021
value: HIGH

Trust: 0.6

VULHUB: VHN-110702
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2499
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-110702
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2499
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-110702 // JVNDB: JVNDB-2017-003819 // CNNVD: CNNVD-201705-1021 // NVD: CVE-2017-2499

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-110702 // JVNDB: JVNDB-2017-003819 // NVD: CVE-2017-2499

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201705-1021

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201705-1021

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-003819

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:HT207804url:https://support.apple.com/en-us/HT207804
Trust: 0.8
title:HT207798url:https://support.apple.com/en-us/HT207798
Trust: 0.8
title:HT207801url:https://support.apple.com/en-us/HT207801
Trust: 0.8
title:HT207798url:https://support.apple.com/ja-jp/HT207798
Trust: 0.8
title:HT207801url:https://support.apple.com/ja-jp/HT207801
Trust: 0.8
title:HT207804url:https://support.apple.com/ja-jp/HT207804
Trust: 0.8
title:Apple iOS , Safari  and tvOS WebKit Web Inspector Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70497
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-003819 // 
            
            
            
            CNNVD: CNNVD-201705-1021

EXTERNAL IDS
db:NVDid:CVE-2017-2499
Trust: 3.1
db:BIDid:98473
Trust: 2.0
db:SECTRACKid:1038487
Trust: 1.7
db:JVNid:JVNVU98089541
Trust: 0.8
db:JVNDBid:JVNDB-2017-003819
Trust: 0.8
db:CNNVDid:CNNVD-201705-1021
Trust: 0.7
db:PACKETSTORMid:142509
Trust: 0.2
db:VULHUBid:VHN-110702
Trust: 0.1
db:PACKETSTORMid:142507
Trust: 0.1
db:PACKETSTORMid:142513
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110702 // 
            
            
            
            BID: 98473 // 
            
            
            
            JVNDB: JVNDB-2017-003819 // 
            
            
            
            PACKETSTORM: 142507 // 
            
            
            
            PACKETSTORM: 142509 // 
            
            
            
            PACKETSTORM: 142513 // 
            
            
            
            CNNVD: CNNVD-201705-1021 // 
            
            
            
            NVD: CVE-2017-2499

REFERENCES
url:http://www.securityfocus.com/bid/98473
Trust: 1.7
url:https://support.apple.com/ht207798
Trust: 1.7
url:https://support.apple.com/ht207801
Trust: 1.7
url:https://support.apple.com/ht207804
Trust: 1.7
url:http://www.securitytracker.com/id/1038487
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-2499
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2499
Trust: 0.8
url:http://jvn.jp/vu/jvnvu98089541/index.html
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:http://www.apple.com/ios/
Trust: 0.3
url:http://www.apple.com/safari/download/
Trust: 0.3
url:http://www.apple.com/accessibility/tvos/
Trust: 0.3
url:https://support.apple.com/kb/ht201222
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2531
Trust: 0.3
url:https://gpgtools.org
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2506
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2504
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2505
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2530
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2525
Trust: 0.3
url:https://www.apple.com/support/security/pgp/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2536
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2515
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2521
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2514
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2502
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2528
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2520
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2519
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2538
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2507
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2508
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2526
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2518
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2496
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2513
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2524
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2510
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2501
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2495
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-6984
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2549
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-6980
Trust: 0.2
url:https://www.apple.com/itunes/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2498
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2497
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-6989
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-6987
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-6979
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2547
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2511
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2500
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2539
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2544
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110702 // 
            
            
            
            BID: 98473 // 
            
            
            
            JVNDB: JVNDB-2017-003819 // 
            
            
            
            PACKETSTORM: 142507 // 
            
            
            
            PACKETSTORM: 142509 // 
            
            
            
            PACKETSTORM: 142513 // 
            
            
            
            CNNVD: CNNVD-201705-1021 // 
            
            
            
            NVD: CVE-2017-2499

CREDITS
lokihardt of Google Project Zero, Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative, Samuel Groß and Niklas Baumstark working with Trend Micro's Zero Day Initiative and George Dan (@t
Trust: 0.3
sources:
            
            
            BID: 98473

SOURCES
db:VULHUBid:VHN-110702
db:BIDid:98473
db:JVNDBid:JVNDB-2017-003819
db:PACKETSTORMid:142507
db:PACKETSTORMid:142509
db:PACKETSTORMid:142513
db:CNNVDid:CNNVD-201705-1021
db:NVDid:CVE-2017-2499

LAST UPDATE DATE
2025-04-20T21:52:58.725000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110702date:2019-03-21T00:00:00
db:BIDid:98473date:2017-06-08T09:02:00
db:JVNDBid:JVNDB-2017-003819date:2017-06-08T00:00:00
db:CNNVDid:CNNVD-201705-1021date:2019-03-13T00:00:00
db:NVDid:CVE-2017-2499date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-110702date:2017-05-22T00:00:00
db:BIDid:98473date:2017-05-15T00:00:00
db:JVNDBid:JVNDB-2017-003819date:2017-06-08T00:00:00
db:PACKETSTORMid:142507date:2017-05-15T14:44:44
db:PACKETSTORMid:142509date:2017-05-15T19:32:22
db:PACKETSTORMid:142513date:2017-05-16T03:23:22
db:CNNVDid:CNNVD-201705-1021date:2017-05-23T00:00:00
db:NVDid:CVE-2017-2499date:2017-05-22T05:29:00.427