Lucene search

[email protected]NVD:CVE-2009-2841

HistoryNov 13, 2009 - 3:30 p.m.

CVE-2009-2841

2009-11-1315:30:00

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.5%

JSON

The HTMLMediaElement::loadResource function in html/HTMLMediaElement.cpp in WebCore in WebKit before r49480, as used in Apple Safari before 4.0.4 on Mac OS X, does not perform the expected callbacks for HTML 5 media elements that have external URLs for media resources, which allows remote attackers to trigger sub-resource requests to arbitrary web sites via a crafted HTML document, as demonstrated by an HTML e-mail message that uses a media element for X-Confirm-Reading-To functionality, aka rdar problem 7271202.

Affected configurations

NVD

Node

applesafariRange≤4.0.3

applesafariMatch0.8

applesafariMatch0.9

applesafariMatch1.0

applesafariMatch1.0beta

applesafariMatch1.0beta2

applesafariMatch1.0.0

applesafariMatch1.0.0b1

applesafariMatch1.0.0b2

applesafariMatch1.0.1

applesafariMatch1.0.2

applesafariMatch1.0.3

applesafariMatch1.1.0

applesafariMatch1.1.1

applesafariMatch1.2

applesafariMatch1.2.0

applesafariMatch1.2.1

applesafariMatch1.2.2

applesafariMatch1.2.3

applesafariMatch1.2.4

applesafariMatch1.2.5

applesafariMatch1.3

applesafariMatch1.3.0

applesafariMatch1.3.1

applesafariMatch1.3.2

applesafariMatch2

applesafariMatch2.0

applesafariMatch2.0.0

applesafariMatch2.0.1

applesafariMatch2.0.2

applesafariMatch2.0.3

applesafariMatch2.0.3417.8

applesafariMatch2.0.3417.9

applesafariMatch2.0.3417.9.2

applesafariMatch2.0.3417.9.3

applesafariMatch2.0.3_417.9.3

applesafariMatch2.0.4

applesafariMatch2.0.4_419.3

applesafariMatch2.0_pre

applesafariMatch3

applesafariMatch3.0

applesafariMatch3.0.0

applesafariMatch3.0.0b

applesafariMatch3.0.1

applesafariMatch3.0.1beta

applesafariMatch3.0.1b

applesafariMatch3.0.2

applesafariMatch3.0.2b

applesafariMatch3.0.3

applesafariMatch3.0.3b

applesafariMatch3.0.4

applesafariMatch3.0.4_beta

applesafariMatch3.0.4b

applesafariMatch3.1

applesafariMatch3.1.0

applesafariMatch3.1.0b

applesafariMatch3.1.1

applesafariMatch3.1.2

applesafariMatch3.2

applesafariMatch3.2.0

applesafariMatch3.2.1

applesafariMatch3.2.2

applesafariMatch3.2.3

applesafariMatch4.0

applesafariMatch4.0beta

applesafariMatch4.0.0b

applesafariMatch4.0.1

applesafariMatch4.0.2

AND

applemac_os_x

References

lists.apple.com/archives/security-announce/2009/Nov/msg00001.html

lists.apple.com/archives/security-announce/2010/Feb/msg00000.html

lists.fedoraproject.org/pipermail/package-announce/2010-July/044023.html

lists.fedoraproject.org/pipermail/package-announce/2010-July/044031.html

lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html

osvdb.org/59941

secunia.com/advisories/37346

secunia.com/advisories/40557

secunia.com/advisories/41856

secunia.com/advisories/43068

support.apple.com/kb/HT3949

support.apple.com/kb/HT4013

threatpost.com/en_us/blogs/apple-patches-critical-safari-vulnerabilities-111109

trac.webkit.org/changeset/49480

www.mandriva.com/security/advisories?name=MDVSA-2011:039

www.securityfocus.com/bid/36996

www.securitytracker.com/id?1023167

www.ubuntu.com/usn/USN-1006-1

www.vupen.com/english/advisories/2009/3217

www.vupen.com/english/advisories/2010/1801

www.vupen.com/english/advisories/2010/2722

www.vupen.com/english/advisories/2011/0212

www.vupen.com/english/advisories/2011/0552

bugzilla.redhat.com/show_bug.cgi?id=525791

exchange.xforce.ibmcloud.com/vulnerabilities/54242

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.5%

JSON

Related for NVD:CVE-2009-2841

cve1 ubuntucve1 debiancve1 seebug2 prion1 cvelist1 nessus10 threatpost2 fedora2 openvas7