CVE-2015-3752

2015-08-1600:00:00

ubuntu.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.2%

JSON

The Content Security Policy implementation in WebKit in Apple Safari before
6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1
and other products, does not properly restrict cookie transmission for
report requests, which allows remote attackers to obtain sensitive
information via vectors involving (1) a cross-origin request or (2) a
private-browsing request.

Notes

Author	Note
jdstrand	webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchwebkitgtk< 2.4.10-0ubuntu0.14.04.1UNKNOWN
ubuntu15.10noarchwebkitgtk< 2.4.10-0ubuntu0.15.10.1UNKNOWN
ubuntu16.04noarchwebkitgtk< 2.4.10-0ubuntu1UNKNOWN
ubuntu16.10noarchwebkitgtk< 2.4.10-0ubuntu1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	14.04	noarch	webkitgtk	< 2.4.10-0ubuntu0.14.04.1	UNKNOWN
ubuntu	15.10	noarch	webkitgtk	< 2.4.10-0ubuntu0.15.10.1	UNKNOWN
ubuntu	16.04	noarch	webkitgtk	< 2.4.10-0ubuntu1	UNKNOWN
ubuntu	16.10	noarch	webkitgtk	< 2.4.10-0ubuntu1	UNKNOWN