Sign-up

ID

VAR-201711-0478


CVE

CVE-2017-13790


TITLE

Safari of Safari Component address bar spoofing vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-010334

DESCRIPTION

An issue was discovered in certain Apple products. Safari before 11.0.1 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar via a crafted web site. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. A security vulnerability exists in Safari components in versions of Apple Safari prior to 11.0.1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-10-31-5 Safari 11.1 Safari 11.1 is now available and addresses the following: Safari Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13 Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-13789: xisigr of Tencent's Xuanwu Lab (tencent.com) CVE-2017-13790: Zhiyang Zeng (@Wester) of Tencent Security Platform Department WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13785: Ivan Fratric of Google Project Zero CVE-2017-13784: Ivan Fratric of Google Project Zero CVE-2017-13783: Ivan Fratric of Google Project Zero CVE-2017-13788: xisigr of Tencent's Xuanwu Lab (tencent.com) CVE-2017-13798: Ivan Fratric of Google Project Zero CVE-2017-13795: Ivan Fratric of Google Project Zero CVE-2017-13802: Ivan Fratric of Google Project Zero CVE-2017-13792: Ivan Fratric of Google Project Zero CVE-2017-13794: Ivan Fratric of Google Project Zero CVE-2017-13791: Ivan Fratric of Google Project Zero CVE-2017-13796: Ivan Fratric of Google Project Zero CVE-2017-13793: Hanul Choi working with Trend Micro's Zero Day Initiative CVE-2017-13803: chenqin (ee|) of Ant-financial Light-Year Security Installation note: Safari 11.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAln4u8ApHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEY+1g// W98M5GMrH1S9J4VcAabTBLiq6evw7NUgpxmF2Qq8X9qaQz5MjUGJB2Ix5qOp9DXV 4YiUMyhj0T62SQa+i9AJTUUc5uwroA605wQUM3FsvYOYB1TUByTAw9fKc/tNCZtO W61vSO7BDQj3Xe/yqk22sqGcuWR2AvFoF6M/uTz2ZEunAhTafybLLTjA3GSW9LzR h1gW88AleBxDiQD7wYJFL5z6PH6h3602sptiPc0tI311hufe0Gee+eVEXuuxmzrM PNQgfuXJ8v0GdRtOxJMZgICBqDQ7OveNZGjTc7pSiX20+gzwG8HWVG4qkg8nTnAE I+4+9mFZhO0UEcpts9pr9TBgqFxREHsqOORKC3WfEBBNI1R6deUNKjGoldrF3ES9 syuDV8cJuOlTsoohkpumJYcZ622CLI5VCSDN3pEXygGiy8CGjHzbAPRcCZ6sGs3f LWVfMfZRYA+7vk5CxhEzZz8mI+P+W8LkUqbSBiXAfPAzUjwmUdLaX89JFCy0vqjD +CI0PF6OJfQNoEM/gWffm2ZmE1N7B4xXvVAzfIvyCAfKfZ3OM0edK5sNi9WAuBoa kTwMP/AKEaBniV8DeaD8PJiEhRU3PTPgTRSR9XZSLX5mxdgl9zXnBM92Nu75BS1e SfA+ulWYKFufKAnQIPL9CyRSI4kfLy3JvXryMw6DHcU= =rc1A -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2017-13790 // JVNDB: JVNDB-2017-010334 // VULHUB: VHN-104448 // PACKETSTORM: 144861

AFFECTED PRODUCTS

vendor:applemodel:safariscope:lteversion:11.0

Trust: 1.0

vendor:applemodel:safariscope:ltversion:11.0.1 (macos high sierra 10.13)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:11.0.1 (macos sierra 10.12.6)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:11.0.1 (os x el capitan 10.11.6)

Trust: 0.8

vendor:applemodel:safariscope:eqversion:11.0

Trust: 0.6

sources: JVNDB: JVNDB-2017-010334 // CNNVD: CNNVD-201709-099 // NVD: CVE-2017-13790

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-13790
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-13790
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201709-099
value: MEDIUM

Trust: 0.6

VULHUB: VHN-104448
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-13790
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-104448
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-13790
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-104448 // JVNDB: JVNDB-2017-010334 // CNNVD: CNNVD-201709-099 // NVD: CVE-2017-13790

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-104448 // JVNDB: JVNDB-2017-010334 // NVD: CVE-2017-13790

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-099

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201709-099

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-010334

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:HT208223url:https://support.apple.com/en-us/HT208223
Trust: 0.8
title:HT208223url:https://support.apple.com/ja-jp/HT208223
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-010334

EXTERNAL IDS
db:NVDid:CVE-2017-13790
Trust: 2.6
db:SECTRACKid:1039706
Trust: 1.1
db:JVNid:JVNVU99000953
Trust: 0.8
db:JVNDBid:JVNDB-2017-010334
Trust: 0.8
db:CNNVDid:CNNVD-201709-099
Trust: 0.7
db:VULHUBid:VHN-104448
Trust: 0.1
db:PACKETSTORMid:144861
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104448 // 
            
            
            
            JVNDB: JVNDB-2017-010334 // 
            
            
            
            PACKETSTORM: 144861 // 
            
            
            
            CNNVD: CNNVD-201709-099 // 
            
            
            
            NVD: CVE-2017-13790

REFERENCES
url:https://support.apple.com/ht208223
Trust: 1.7
url:http://www.securitytracker.com/id/1039706
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13790
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-13790
Trust: 0.8
url:http://jvn.jp/vu/jvnvu99000953/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-13795
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13802
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13785
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13798
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13784
Trust: 0.1
url:https://support.apple.com/kb/ht201222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13796
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13791
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13803
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13789
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13792
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13794
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13793
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13783
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-13788
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104448 // 
            
            
            
            JVNDB: JVNDB-2017-010334 // 
            
            
            
            PACKETSTORM: 144861 // 
            
            
            
            CNNVD: CNNVD-201709-099 // 
            
            
            
            NVD: CVE-2017-13790

CREDITS
Apple
Trust: 0.1
sources:
            
            
            PACKETSTORM: 144861

SOURCES
db:VULHUBid:VHN-104448
db:JVNDBid:JVNDB-2017-010334
db:PACKETSTORMid:144861
db:CNNVDid:CNNVD-201709-099
db:NVDid:CVE-2017-13790

LAST UPDATE DATE
2025-04-20T19:40:08.905000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-104448date:2017-11-28T00:00:00
db:JVNDBid:JVNDB-2017-010334date:2017-12-12T00:00:00
db:CNNVDid:CNNVD-201709-099date:2017-11-14T00:00:00
db:NVDid:CVE-2017-13790date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-104448date:2017-11-13T00:00:00
db:JVNDBid:JVNDB-2017-010334date:2017-12-12T00:00:00
db:PACKETSTORMid:144861date:2017-11-02T23:34:42
db:CNNVDid:CNNVD-201709-099date:2017-08-30T00:00:00
db:NVDid:CVE-2017-13790date:2017-11-13T03:29:00.520