Sign-up

ID

VAR-201712-0591


CVE

CVE-2017-17821


TITLE

Safari Technology Preview Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011755

DESCRIPTION

WTF/wtf/FastBitVector.h in WebKit, as distributed in Safari Technology Preview Release 46, allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact because it calls the FastBitVectorWordOwner::resizeSlow function (in WTF/wtf/FastBitVector.cpp) for a purpose other than initializing a bitvector size, and resizeSlow mishandles cases where the old array length is greater than the new array length. Safari Technology Preview Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple Safari Technology Preview is a browser of Apple (Apple). WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. There is a security vulnerability in the WTF/wtf/FastBitVector.h file of WebKit in Apple Safari Technology Preview Release 46. The vulnerability is caused by the program calling the 'FastBitVectorWordOwner::resizeSlow' function which is not used to initialize bitvector. A remote attacker could exploit this vulnerability to cause a denial of service (buffer overflow)

Trust: 1.71

sources: NVD: CVE-2017-17821 // JVNDB: JVNDB-2017-011755 // VULHUB: VHN-108882

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:46

Trust: 1.6

vendor:applemodel:safariscope:eqversion:technology preview release 46

Trust: 0.8

sources: JVNDB: JVNDB-2017-011755 // CNNVD: CNNVD-201712-849 // NVD: CVE-2017-17821

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-17821
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-17821
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201712-849
value: HIGH

Trust: 0.6

VULHUB: VHN-108882
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-17821
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-108882
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-17821
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-108882 // JVNDB: JVNDB-2017-011755 // CNNVD: CNNVD-201712-849 // NVD: CVE-2017-17821

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-108882 // JVNDB: JVNDB-2017-011755 // NVD: CVE-2017-17821

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-849

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201712-849

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011755

PATCH
title:Safari Technology Previewurl:https://developer.apple.com/safari/technology-preview/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-011755

EXTERNAL IDS
db:NVDid:CVE-2017-17821
Trust: 2.5
db:JVNDBid:JVNDB-2017-011755
Trust: 0.8
db:CNNVDid:CNNVD-201712-849
Trust: 0.7
db:VULHUBid:VHN-108882
Trust: 0.1
sources:
            
            
            VULHUB: VHN-108882 // 
            
            
            
            JVNDB: JVNDB-2017-011755 // 
            
            
            
            CNNVD: CNNVD-201712-849 // 
            
            
            
            NVD: CVE-2017-17821

REFERENCES
url:https://github.com/dwfault/pocs/blob/master/webkit%20misuse%20of%20wtf:wtf:fastbitvector%20result%20in%20potential%20bof/webkit%20misuse%20of%20wtf:wtf:fastbitvector%20result%20in%20potential%20bof.md
Trust: 2.5
url:https://bugs.webkit.org/show_bug.cgi?id=181020
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17821
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-17821
Trust: 0.8
sources:
            
            
            VULHUB: VHN-108882 // 
            
            
            
            JVNDB: JVNDB-2017-011755 // 
            
            
            
            CNNVD: CNNVD-201712-849 // 
            
            
            
            NVD: CVE-2017-17821

SOURCES
db:VULHUBid:VHN-108882
db:JVNDBid:JVNDB-2017-011755
db:CNNVDid:CNNVD-201712-849
db:NVDid:CVE-2017-17821

LAST UPDATE DATE
2025-04-20T23:32:01.408000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-108882date:2018-01-10T00:00:00
db:JVNDBid:JVNDB-2017-011755date:2018-01-25T00:00:00
db:CNNVDid:CNNVD-201712-849date:2017-12-22T00:00:00
db:NVDid:CVE-2017-17821date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-108882date:2017-12-21T00:00:00
db:JVNDBid:JVNDB-2017-011755date:2018-01-25T00:00:00
db:CNNVDid:CNNVD-201712-849date:2017-12-22T00:00:00
db:NVDid:CVE-2017-17821date:2017-12-21T03:29:00.630