CVE-2015-3750

2015-08-1623:59:00

CWE-254

[email protected]

web.nvd.nist.gov

cve

2015

3750

webkit

apple

safari

ios

hsts

csp

content security policy

network security

man-in-the-middle attack

6.6 Medium

AI Score

Confidence

High

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

69.4%

JSON

WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.

CPENameOperatorVersion
apple:iphone_osapple iphone osle8.4
apple:safariapple safarilt6.2.8
apple:safariapple safarilt7.1.8
apple:safariapple safarilt8.0.8
apple:iphone_osapple iphone oslt8.4.1

CPE	Name	Operator	Version
apple:iphone_os	apple iphone os	le	8.4
apple:safari	apple safari	lt	6.2.8
apple:safari	apple safari	lt	7.1.8
apple:safari	apple safari	lt	8.0.8
apple:iphone_os	apple iphone os	lt	8.4.1