NVD - CVE-2010-0051

CVE-2010-0051 Detail

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Description

WebKit in Apple Safari before 4.0.5 does not properly validate the cross-origin loading of stylesheets, which allows remote attackers to obtain sensitive information via a crafted HTML document. NOTE: this might overlap CVE-2010-0651.

Source: MITRE
Description Last Modified: 03/15/2010

Evaluator Description

Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0051 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An implementation issue exists in WebKit's handling of cross-origin stylesheet requests. Visiting a maliciously crafted website may disclose the content of protected resources on another website. This update addresses the issue by performing additional validation on stylesheets that are loaded during a cross-origin request.'

Impact

CVSS v2.0 Severity and Metrics:

Base Score: 4.3 MEDIUM
Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6

Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): None
Availability (A): None
Additional Information:
Victim must voluntarily interact with attack mechanism
Allows unauthorized disclosure of information

Evaluator Solution

Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/'

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://code.google.com/p/chromium/issues/detail?id=9877
http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html	Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
http://support.apple.com/kb/HT4070	Vendor Advisory
http://support.apple.com/kb/HT4225
http://support.apple.com/kb/HT4456
http://websec.sv.cmu.edu/css/css.pdf
http://www.mandriva.com/security/advisories?name=MDVSA-2011:039
http://www.securityfocus.com/bid/38671	Patch
http://www.securitytracker.com/id?1023708
http://www.ubuntu.com/usn/USN-1006-1
http://www.vupen.com/english/advisories/2010/2722
http://www.vupen.com/english/advisories/2011/0212
http://www.vupen.com/english/advisories/2011/0552
https://exchange.xforce.ibmcloud.com/vulnerabilities/56837
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7554

References to Check Content

Identifier:: oval:org.mitre.oval:def:7554
Check System:: http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:: http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:7554

Technical Details

Vulnerability Type (View All)

Input Validation (CWE-20)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* versions up to (including) 4.0.4

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found - show changes

Quick Info

CVE Dictionary Entry:
CVE-2010-0051
NVD Published Date:
03/15/2010
NVD Last Modified:
09/18/2017

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database