U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2010-0051 Detail

Description

WebKit in Apple Safari before 4.0.5 does not properly validate the cross-origin loading of stylesheets, which allows remote attackers to obtain sensitive information via a crafted HTML document. NOTE: this might overlap CVE-2010-0651.


Evaluator Description

Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0051 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An implementation issue exists in WebKit's handling of cross-origin stylesheet requests. Visiting a maliciously crafted website may disclose the content of protected resources on another website. This update addresses the issue by performing additional validation on stylesheets that are loaded during a cross-origin request.'

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology
NIST: NVD
Base Score:  4.3 MEDIUM
Vector:  (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Evaluator Solution

Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/'

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
http://code.google.com/p/chromium/issues/detail?id=9877
http://code.google.com/p/chromium/issues/detail?id=9877
http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html
http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html Vendor Advisory 
http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html Vendor Advisory 
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
http://osvdb.org/62944
http://osvdb.org/62944
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
http://secunia.com/advisories/41856
http://secunia.com/advisories/41856
http://secunia.com/advisories/42314
http://secunia.com/advisories/42314
http://secunia.com/advisories/43068
http://secunia.com/advisories/43068
http://support.apple.com/kb/HT4070 Vendor Advisory 
http://support.apple.com/kb/HT4070 Vendor Advisory 
http://support.apple.com/kb/HT4225
http://support.apple.com/kb/HT4225
http://support.apple.com/kb/HT4456
http://support.apple.com/kb/HT4456
http://websec.sv.cmu.edu/css/css.pdf
http://websec.sv.cmu.edu/css/css.pdf
http://www.mandriva.com/security/advisories?name=MDVSA-2011:039
http://www.mandriva.com/security/advisories?name=MDVSA-2011:039
http://www.securityfocus.com/bid/38671 Patch 
http://www.securityfocus.com/bid/38671 Patch 
http://www.securitytracker.com/id?1023708
http://www.securitytracker.com/id?1023708
http://www.ubuntu.com/usn/USN-1006-1
http://www.ubuntu.com/usn/USN-1006-1
http://www.vupen.com/english/advisories/2010/2722
http://www.vupen.com/english/advisories/2010/2722
http://www.vupen.com/english/advisories/2011/0212
http://www.vupen.com/english/advisories/2011/0212
http://www.vupen.com/english/advisories/2011/0552
http://www.vupen.com/english/advisories/2011/0552
https://exchange.xforce.ibmcloud.com/vulnerabilities/56837
https://exchange.xforce.ibmcloud.com/vulnerabilities/56837
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7554
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7554

Weakness Enumeration

CWE-ID CWE Name Source
CWE-20 Improper Input Validation cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

Configuration 1 ( hide )
 cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
   Show Matching CPE(s)
 cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
   Show Matching CPE(s)
 cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
   Show Matching CPE(s)
 cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
   Show Matching CPE(s)
 cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
   Show Matching CPE(s)
 cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
   Show Matching CPE(s)
Up to (including)
4.0.4

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

5 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2010-0051
NVD Published Date:
03/15/2010
NVD Last Modified:
11/20/2024
Source:
Apple Inc.