CVE-2018-4117

An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is affected. The issue involves the fetch API in the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/104887	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040604	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:2282	Third Party Advisory
https://security.gentoo.org/glsa/201808-01	Third Party Advisory
https://security.gentoo.org/glsa/201808-04	Third Party Advisory
https://support.apple.com/HT208693	Vendor Advisory
https://support.apple.com/HT208694	Vendor Advisory
https://support.apple.com/HT208695	Vendor Advisory
https://support.apple.com/HT208696	Vendor Advisory
https://support.apple.com/HT208697	Vendor Advisory
https://usn.ubuntu.com/3635-1/	Third Party Advisory
https://www.debian.org/security/2018/dsa-4256	Third Party Advisory
http://www.securityfocus.com/bid/104887	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040604	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:2282	Third Party Advisory
https://security.gentoo.org/glsa/201808-01	Third Party Advisory
https://security.gentoo.org/glsa/201808-04	Third Party Advisory
https://support.apple.com/HT208693	Vendor Advisory
https://support.apple.com/HT208694	Vendor Advisory
https://support.apple.com/HT208695	Vendor Advisory
https://support.apple.com/HT208696	Vendor Advisory
https://support.apple.com/HT208697	Vendor Advisory
https://usn.ubuntu.com/3635-1/	Third Party Advisory
https://www.debian.org/security/2018/dsa-4256	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:watchos::::::::

Configuration 2 (hide)

AND

cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:webkitgtk:webkitgtk\+:*:*:*:*:*:*:*:*

Configuration 5 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*

History

21 Nov 2024, 04:06

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/104887 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/104887 - Third Party Advisory, VDB Entry
References	~~() http://www.securitytracker.com/id/1040604 - Third Party Advisory, VDB Entry~~	() http://www.securitytracker.com/id/1040604 - Third Party Advisory, VDB Entry
References	~~() https://access.redhat.com/errata/RHSA-2018:2282 - Third Party Advisory~~	() https://access.redhat.com/errata/RHSA-2018:2282 - Third Party Advisory
References	~~() https://security.gentoo.org/glsa/201808-01 - Third Party Advisory~~	() https://security.gentoo.org/glsa/201808-01 - Third Party Advisory
References	~~() https://security.gentoo.org/glsa/201808-04 - Third Party Advisory~~	() https://security.gentoo.org/glsa/201808-04 - Third Party Advisory
References	~~() https://support.apple.com/HT208693 - Vendor Advisory~~	() https://support.apple.com/HT208693 - Vendor Advisory
References	~~() https://support.apple.com/HT208694 - Vendor Advisory~~	() https://support.apple.com/HT208694 - Vendor Advisory
References	~~() https://support.apple.com/HT208695 - Vendor Advisory~~	() https://support.apple.com/HT208695 - Vendor Advisory
References	~~() https://support.apple.com/HT208696 - Vendor Advisory~~	() https://support.apple.com/HT208696 - Vendor Advisory
References	~~() https://support.apple.com/HT208697 - Vendor Advisory~~	() https://support.apple.com/HT208697 - Vendor Advisory
References	~~() https://usn.ubuntu.com/3635-1/ - Third Party Advisory~~	() https://usn.ubuntu.com/3635-1/ - Third Party Advisory
References	~~() https://www.debian.org/security/2018/dsa-4256 - Third Party Advisory~~	() https://www.debian.org/security/2018/dsa-4256 - Third Party Advisory

Information

Published : 2018-04-03 06:29

Updated : 2024-11-21 04:06

NVD link : CVE-2018-4117

Mitre link : CVE-2018-4117

CVE.ORG link : CVE-2018-4117

JSON object : View

Products Affected

apple

iphone_os
safari
watchos
icloud
itunes

redhat

enterprise_linux_desktop
enterprise_linux_server
enterprise_linux_workstation

canonical

ubuntu_linux

microsoft

windows

webkitgtk

webkitgtk\+

debian

debian_linux

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2018-4117", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-04-03T06:29:04.937", "references": [{"url": "http://www.securityfocus.com/bid/104887", "tags": ["Third Party Advisory", "VDB Entry"], "source": "product-security@apple.com"}, {"url": "http://www.securitytracker.com/id/1040604", "tags": ["Third Party Advisory", "VDB Entry"], "source": "product-security@apple.com"}, {"url": "https://access.redhat.com/errata/RHSA-2018:2282", "tags": ["Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "https://security.gentoo.org/glsa/201808-01", "tags": ["Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "https://security.gentoo.org/glsa/201808-04", "tags": ["Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208693", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208694", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208695", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208696", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208697", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://usn.ubuntu.com/3635-1/", "tags": ["Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "https://www.debian.org/security/2018/dsa-4256", "tags": ["Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "http://www.securityfocus.com/bid/104887", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1040604", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2018:2282", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201808-01", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201808-04", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.apple.com/HT208693", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.apple.com/HT208694", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.apple.com/HT208695", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.apple.com/HT208696", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.apple.com/HT208697", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://usn.ubuntu.com/3635-1/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2018/dsa-4256", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is affected. The issue involves the fetch API in the \"WebKit\" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site."}, {"lang": "es", "value": "Se ha descubierto un problema en algunos productos Apple. Las versiones de iOS anteriores a la 11.3 se han visto afectadas. Se han visto afectadas las versiones de Safari anteriores a la 11.1, las versiones de iCloud anteriores a la 7.4 en Windows, las versiones de iTunes anteriores a la 12.7.4 en Windows y las versiones de watchOS anteriores a la 4.3. El problema afecta a la API fetch en el componente \"WebKit\". Permite que atacantes remotos omitan la Pol\u00edtica del Mismo Origen y obtengan informaci\u00f3n sensible mediante un sitio web manipulado."}], "lastModified": "2024-11-21T04:06:47.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2683E773-F7E6-4B5A-B341-F34EC83368BB", "versionEndExcluding": "11.1"}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AE9DC77-7A0A-47A4-9B85-6CCCFDE5B313", "versionEndExcluding": "11.3"}, {"criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "360435F9-FC38-422B-8888-3656AF59A3BF", "versionEndExcluding": "4.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0720731-C892-498A-BFFE-D3DBCD096973", "versionEndExcluding": "7.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7F515A1-9B93-4D6F-A269-CAEDEC1DD85E", "versionEndExcluding": "12.7.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webkitgtk:webkitgtk\\+:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33CC3DA1-F5EA-4276-B38B-5C68BA8EBCDA", "versionEndExcluding": "2.20.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B"}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886"}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@apple.com"}

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2018-4117

6.5^/10

4.3^/10

Attach tags to `CVE-2018-4117`