Lucene search

[email protected]CVE-2009-1699

HistoryJun 10, 2009 - 6:00 p.m.

CVE-2009-1699

2009-06-1018:00:00

CWE-611

[email protected]

web.nvd.nist.gov

cve-2009-1699

xsl stylesheet

webkit

apple safari

iphone os

xxe attack

dtd

xml external entities

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6 Medium

AI Score

Confidence

Low

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.031 Low

EPSS

Percentile

90.9%

JSON

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an “XXE attack.”

CPENameOperatorVersion
apple:iphone_osapple iphone osle2.2.1
apple:safariapple safarilt4.0
canonical:ubuntu_linuxcanonical ubuntu linuxeq9.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.10
opensuse:opensuseopensuseeq11.2
opensuse:opensuseopensuseeq11.3

CPE	Name	Operator	Version
apple:iphone_os	apple iphone os	le	2.2.1
apple:safari	apple safari	lt	4.0
canonical:ubuntu_linux	canonical ubuntu linux	eq	9.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.10
opensuse:opensuse	opensuse	eq	11.2
opensuse:opensuse	opensuse	eq	11.3