Details of VAR-201904-1473

ID

VAR-201904-1473

CVE

CVE-2018-4359

TITLE

plural Apple Memory corruption vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-014925

DESCRIPTION

Multiple memory corruption issues were addressed with improved memory handling. This issue affected versions prior to iOS 12, tvOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Service operation interruption (DoS) * Arbitrary code execution * Script execution * information leak * Access restriction avoidance. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A buffer error vulnerability exists in the WebKit component of several Apple products. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201812-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: WebkitGTK+: Multiple vulnerabilities Date: December 02, 2018 Bugs: #667892 ID: 201812-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to arbitrary code execution. Background ========== WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/webkit-gtk < 2.22.0 >= 2.22.0 Description =========== Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All WebkitGTK+ users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.22.0" References ========== [ 1 ] CVE-2018-4191 https://nvd.nist.gov/vuln/detail/CVE-2018-4191 [ 2 ] CVE-2018-4197 https://nvd.nist.gov/vuln/detail/CVE-2018-4197 [ 3 ] CVE-2018-4207 https://nvd.nist.gov/vuln/detail/CVE-2018-4207 [ 4 ] CVE-2018-4208 https://nvd.nist.gov/vuln/detail/CVE-2018-4208 [ 5 ] CVE-2018-4209 https://nvd.nist.gov/vuln/detail/CVE-2018-4209 [ 6 ] CVE-2018-4210 https://nvd.nist.gov/vuln/detail/CVE-2018-4210 [ 7 ] CVE-2018-4212 https://nvd.nist.gov/vuln/detail/CVE-2018-4212 [ 8 ] CVE-2018-4213 https://nvd.nist.gov/vuln/detail/CVE-2018-4213 [ 9 ] CVE-2018-4299 https://nvd.nist.gov/vuln/detail/CVE-2018-4299 [ 10 ] CVE-2018-4306 https://nvd.nist.gov/vuln/detail/CVE-2018-4306 [ 11 ] CVE-2018-4309 https://nvd.nist.gov/vuln/detail/CVE-2018-4309 [ 12 ] CVE-2018-4311 https://nvd.nist.gov/vuln/detail/CVE-2018-4311 [ 13 ] CVE-2018-4312 https://nvd.nist.gov/vuln/detail/CVE-2018-4312 [ 14 ] CVE-2018-4314 https://nvd.nist.gov/vuln/detail/CVE-2018-4314 [ 15 ] CVE-2018-4315 https://nvd.nist.gov/vuln/detail/CVE-2018-4315 [ 16 ] CVE-2018-4316 https://nvd.nist.gov/vuln/detail/CVE-2018-4316 [ 17 ] CVE-2018-4317 https://nvd.nist.gov/vuln/detail/CVE-2018-4317 [ 18 ] CVE-2018-4318 https://nvd.nist.gov/vuln/detail/CVE-2018-4318 [ 19 ] CVE-2018-4319 https://nvd.nist.gov/vuln/detail/CVE-2018-4319 [ 20 ] CVE-2018-4323 https://nvd.nist.gov/vuln/detail/CVE-2018-4323 [ 21 ] CVE-2018-4328 https://nvd.nist.gov/vuln/detail/CVE-2018-4328 [ 22 ] CVE-2018-4358 https://nvd.nist.gov/vuln/detail/CVE-2018-4358 [ 23 ] CVE-2018-4359 https://nvd.nist.gov/vuln/detail/CVE-2018-4359 [ 24 ] CVE-2018-4361 https://nvd.nist.gov/vuln/detail/CVE-2018-4361 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201812-04 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . CVE-2018-4305: Jerry Decime Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to read restricted memory Description: An input validation issue existed in the kernel. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU) Security Available for: Apple Watch Series 1 and later Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: This issue was addressed by removing RC4. SQLite We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-9-24-3 Additional information for APPLE-SA-2018-9-17-4 Safari 12 Safari 12 addresses the following: Safari Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A user may be unable to delete browsing history items Description: Clearing a history item may not clear visits with redirect chains. CVE-2018-4329: Hugo S. Diaz (coldpointblue) Safari Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Visiting a malicious website by clicking a link may lead to user interface spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4195: xisigr of Tencent's Xuanwu Lab (www.tencent.com) Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A malicious website may be able to exfiltrate autofilled data in Safari Description: A logic issue was addressed with improved state management. CVE-2018-4307: Rafay Baloch of Pakistan Telecommunications Authority WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Unexpected interaction causes an ASSERT failure Description: A memory corruption issue was addressed with improved validation. CVE-2018-4191: found by OSS-Fuzz Entry added September 24, 2018 WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Cross-origin SecurityErrors includes the accessed frame's origin Description: The issue was addressed by removing origin information. CVE-2018-4311: Erling Alf Ellingsen (@steike) Entry added September 24, 2018 WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team Entry added September 24, 2018 WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4319: John Pettitt of Google Entry added September 24, 2018 WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A malicious website may be able to execute scripts in the context of another website Description: A cross-site scripting issue existed in Safari. CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative Entry added September 24, 2018 WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2018-4345: an anonymous researcher Entry added September 24, 2018 WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Unexpected interaction causes an ASSERT failure Description: A memory consumption issue was addressed with improved memory handling. CVE-2018-4361: found by Google OSS-Fuzz Entry added September 24, 2018 Additional recognition WebKit We would like to acknowledge Cary Hartline, Hanming Zhang from 360 Vuclan team, Tencent Keen Security Lab working with Trend Micro's Zero Day Initiative, and Zach Malone of CA Technologies for their assistance. Installation note: Safari 12 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlupFUIACgkQeC9tht7T K3EOzBAAr4Kr9hZVKV603mOTE9cq6boEBYJLYJUN2/VjLzBPYWYr/e8tPg0P1EWr i67b/0pWifR6A73F53oCxMzdumfwC4by2n106ABrx5KPYmbz5YBk8X/YEEWokBdK zK/AJpQo768pTUIxlVuhIOsCLOieMRX3kiPWIg10WeIEggEnyavK9/emNyUu08GV AXviCAz2vohBgG0pAvgKt2HD/yTxG2n+gdP9krOT9mMh0aH1tTlZ8107cF2bTWwv yZw9LSCELre6cKOx4iDaY+vpPWGXwI+8+6hXYqKjNBomgJhLeQVqIdBo29IM0HTO FZcyrQ5djoNDl8ZfGUAwFtyDhD4Fmdb/JyDdvLXME/GL2fPWG8hqDS5EGU/cNIus ugQv/zsm6pXqLWt+sxbP5lU4Uuwfkw4H7HwwBxoE04ufGfxurEBgTIIQn+KwYg9J ODrdoqsIDThOtqQHxzp0//+rs0hg49jGm4P8eSG86Oycoyw/Q9/pzCKeQGazfyfF cTNX3wsZA84RVbHLVWbp0ZnYhVrH1iL61ipzH2hDTUbjelvv4u4pN6flIM6Kw9uN J5bYuFOXzv61bxMe8fdAlZixqFXqJ5oNBTZOdaicZEKmfRTTh4p1BLTWcFSRbp7K wCXqHSwmD7RjGr0Qbr/CvJFb/+kOrzQIHX7sCR6ZIusZPLpTYXI= =4ySP -----END PGP SIGNATURE----- . ----------------------------------------------------------------------- WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007 ------------------------------------------------------------------------ Date reported : September 26, 2018 Advisory ID : WSA-2018-0007 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0007.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0007.html CVE identifiers : CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4311, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4207 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4208 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4209 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4210 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction with indexing types caused a failure. An array indexing issue existed in the handling of a function in JavaScriptCore. This issue was addressed with improved checks. CVE-2018-4212 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4213 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4191 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. CVE-2018-4197 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4299 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Samuel GroI2 (saelo) working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4306 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4309 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to an anonymous researcher working with Trend Micro's Zero Day Initiative. A malicious website may be able to execute scripts in the context of another website. A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation. CVE-2018-4311 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Erling Alf Ellingsen (@steike). Cross-origin SecurityErrors includes the accessed frameas origin. The issue was addressed by removing origin information. CVE-2018-4312 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4314 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4315 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4316 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4317 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4318 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4319 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to John Pettitt of Google. A malicious website may cause unexepected cross-origin behavior. A cross-origin issue existed with iframe elements. This was addressed with improved tracking of security origins. CVE-2018-4323 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4328 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4358 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4359 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Samuel GroA (@5aelo). Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4361 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, September 26, 2018

Trust: 3.15

sources: NVD: CVE-2018-4359 // JVNDB: JVNDB-2018-014925 // JVNDB: JVNDB-2018-008148 // VULHUB: VHN-134390 // VULMON: CVE-2018-4359 // PACKETSTORM: 150115 // PACKETSTORM: 150560 // PACKETSTORM: 150114 // PACKETSTORM: 149515 // PACKETSTORM: 149513 // PACKETSTORM: 149605 // PACKETSTORM: 149722

AFFECTED PRODUCTS

vendor:	apple	model:	safari	scope:	lt	version:	12	Trust: 1.0
vendor:	apple	model:	watchos	scope:	lt	version:	5.0	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	7.7	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	12.0	Trust: 1.0
vendor:	apple	model:	itunes	scope:	lt	version:	12.9	Trust: 1.0
vendor:	apple	model:	tvos	scope:	lt	version:	12	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	for windows 7.7 (windows 7 or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	12 (ipad air or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	12 (iphone 5s or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	12 (ipod touch first 6 generation )	Trust: 0.8
vendor:	apple	model:	itunes	scope:	lt	version:	for windows 12.9 (windows 7 or later )	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	12 (macos high sierra 10.13.6)	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	12 (macos mojave 10.14)	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	12 (macos sierra 10.12.6)	Trust: 0.8
vendor:	apple	model:	tvos	scope:	lt	version:	12 (apple tv 4k)	Trust: 0.8
vendor:	apple	model:	tvos	scope:	lt	version:	12 (apple tv first 4 generation )	Trust: 0.8
vendor:	apple	model:	watchos	scope:	lt	version:	5 (apple watch series 1 or later )	Trust: 0.8
vendor:	apple	model:	icloud	scope:	lt	version:	7.7 earlier	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	12.0.1 earlier	Trust: 0.8

sources: JVNDB: JVNDB-2018-014925 // JVNDB: JVNDB-2018-008148 // NVD: CVE-2018-4359

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-4359
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-4359
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201809-1164
value:	HIGH
Trust: 0.6
VULHUB:	VHN-134390
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-4359
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-4359
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-134390
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-4359
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-134390 // VULMON: CVE-2018-4359 // CNNVD: CNNVD-201809-1164 // JVNDB: JVNDB-2018-014925 // NVD: CVE-2018-4359

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-134390 // JVNDB: JVNDB-2018-014925 // NVD: CVE-2018-4359

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-1164

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201809-1164

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014925

PATCH

title:	HT209141	url:	https://support.apple.com/en-us/HT209141	Trust: 1.6
title:	HT209140	url:	https://support.apple.com/en-us/HT209140	Trust: 0.8
title:	HT209106	url:	https://support.apple.com/en-us/HT209106	Trust: 0.8
title:	HT209107	url:	https://support.apple.com/en-us/HT209107	Trust: 0.8
title:	HT209108	url:	https://support.apple.com/en-us/HT209108	Trust: 0.8
title:	HT209109	url:	https://support.apple.com/en-us/HT209109	Trust: 0.8
title:	HT209106	url:	https://support.apple.com/ja-jp/HT209106	Trust: 0.8
title:	HT209107	url:	https://support.apple.com/ja-jp/HT209107	Trust: 0.8
title:	HT209108	url:	https://support.apple.com/ja-jp/HT209108	Trust: 0.8
title:	HT209109	url:	https://support.apple.com/ja-jp/HT209109	Trust: 0.8
title:	HT209140	url:	https://support.apple.com/ja-jp/HT209140	Trust: 0.8
title:	HT209141	url:	https://support.apple.com/ja-jp/HT209141	Trust: 0.8
title:	About the security content of iOS 12.0.1	url:	https://support.apple.com/en-us/HT209162	Trust: 0.8
title:	Multiple Apple product WebKit Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85198	Trust: 0.6
title:	Ubuntu Security Notice: webkit2gtk vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3781-1	Trust: 0.1
title:	fuzzilli	url:	https://github.com/googleprojectzero/fuzzilli	Trust: 0.1
title:	BleepingComputer	url:	https://www.bleepingcomputer.com/news/security/apple-releases-security-updates-for-ios-and-icloud-fixes-passcode-bypass/	Trust: 0.1

sources: VULMON: CVE-2018-4359 // CNNVD: CNNVD-201809-1164 // JVNDB: JVNDB-2018-014925 // JVNDB: JVNDB-2018-008148

EXTERNAL IDS

db:	NVD	id:	CVE-2018-4359	Trust: 3.3
db:	JVN	id:	JVNVU92800088	Trust: 1.6
db:	JVN	id:	JVNVU93341447	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-014925	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-008148	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-1164	Trust: 0.7
db:	VULHUB	id:	VHN-134390	Trust: 0.1
db:	VULMON	id:	CVE-2018-4359	Trust: 0.1
db:	PACKETSTORM	id:	150115	Trust: 0.1
db:	PACKETSTORM	id:	150560	Trust: 0.1
db:	PACKETSTORM	id:	150114	Trust: 0.1
db:	PACKETSTORM	id:	149515	Trust: 0.1
db:	PACKETSTORM	id:	149513	Trust: 0.1
db:	PACKETSTORM	id:	149605	Trust: 0.1
db:	PACKETSTORM	id:	149722	Trust: 0.1

sources: VULHUB: VHN-134390 // VULMON: CVE-2018-4359 // PACKETSTORM: 150115 // PACKETSTORM: 150560 // PACKETSTORM: 150114 // PACKETSTORM: 149515 // PACKETSTORM: 149513 // PACKETSTORM: 149605 // PACKETSTORM: 149722 // CNNVD: CNNVD-201809-1164 // JVNDB: JVNDB-2018-014925 // JVNDB: JVNDB-2018-008148 // NVD: CVE-2018-4359

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2018-4359	Trust: 2.1
url:	https://support.apple.com/kb/ht209106	Trust: 1.8
url:	https://support.apple.com/kb/ht209107	Trust: 1.8
url:	https://support.apple.com/kb/ht209108	Trust: 1.8
url:	https://support.apple.com/kb/ht209109	Trust: 1.8
url:	https://support.apple.com/kb/ht209140	Trust: 1.8
url:	https://support.apple.com/kb/ht209141	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4359	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu93341447/index.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu92800088/index.html	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu92800088	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4319	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4191	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4361	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4311	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4358	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4299	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4323	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4318	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4309	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4315	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4197	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4316	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4317	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4306	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4312	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4328	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4314	Trust: 0.6
url:	https://support.apple.com/kb/ht201222	Trust: 0.5
url:	https://www.apple.com/support/security/pgp/	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4345	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4360	Trust: 0.3
url:	https://support.apple.com/ht204283	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4412	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4414	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4126	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4347	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4208	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4213	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4212	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4209	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4210	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4207	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/fulldisclosure/2018/sep/45	Trust: 0.1
url:	https://usn.ubuntu.com/3781-1/	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://security.gentoo.org/glsa/201812-04	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://www.apple.com/itunes/download/	Trust: 0.1
url:	https://support.apple.com/kb/ht204641	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4305	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4336	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4313	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4344	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-1777	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4363	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4307	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4195	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4329	Trust: 0.1
url:	https://www.tencent.com)	Trust: 0.1
url:	https://wpewebkit.org/security/.	Trust: 0.1
url:	https://wpewebkit.org/security/wsa-2018-0007.html	Trust: 0.1
url:	https://webkitgtk.org/security.html	Trust: 0.1
url:	https://webkitgtk.org/security/wsa-2018-0007.html	Trust: 0.1

CREDITS

Apple

Trust: 0.5

sources: PACKETSTORM: 150115 // PACKETSTORM: 150114 // PACKETSTORM: 149515 // PACKETSTORM: 149513 // PACKETSTORM: 149722

SOURCES

db:	VULHUB	id:	VHN-134390
db:	VULMON	id:	CVE-2018-4359
db:	PACKETSTORM	id:	150115
db:	PACKETSTORM	id:	150560
db:	PACKETSTORM	id:	150114
db:	PACKETSTORM	id:	149515
db:	PACKETSTORM	id:	149513
db:	PACKETSTORM	id:	149605
db:	PACKETSTORM	id:	149722
db:	CNNVD	id:	CNNVD-201809-1164
db:	JVNDB	id:	JVNDB-2018-014925
db:	JVNDB	id:	JVNDB-2018-008148
db:	NVD	id:	CVE-2018-4359

LAST UPDATE DATE

2026-02-05T14:50:12.801000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-134390	date:	2019-04-05T00:00:00
db:	VULMON	id:	CVE-2018-4359	date:	2019-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201809-1164	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-014925	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-008148	date:	2018-10-10T00:00:00
db:	NVD	id:	CVE-2018-4359	date:	2024-11-21T04:07:15.713

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-134390	date:	2019-04-03T00:00:00
db:	VULMON	id:	CVE-2018-4359	date:	2019-04-03T00:00:00
db:	PACKETSTORM	id:	150115	date:	2018-10-31T16:10:39
db:	PACKETSTORM	id:	150560	date:	2018-12-03T21:06:30
db:	PACKETSTORM	id:	150114	date:	2018-10-31T16:10:29
db:	PACKETSTORM	id:	149515	date:	2018-09-25T16:31:15
db:	PACKETSTORM	id:	149513	date:	2018-09-25T16:25:47
db:	PACKETSTORM	id:	149605	date:	2018-10-01T17:13:20
db:	PACKETSTORM	id:	149722	date:	2018-10-09T16:58:43
db:	CNNVD	id:	CNNVD-201809-1164	date:	2018-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-014925	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-008148	date:	2018-10-10T00:00:00
db:	NVD	id:	CVE-2018-4359	date:	2019-04-03T18:29:10.143