CVE-2009-1699

Опубликовано: 10 июн. 2009

Источник: nvd

CVSS3: 7.5

CVSS2: 7.1

EPSS Низкий

Описание

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Ссылки

http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
Mailing List
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
Broken Link
Mailing List
Patch
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
Mailing List
http://osvdb.org/54972
Broken Link
http://scary.beasts.org/security/CESA-2009-006.html
Exploit
http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html
Exploit
http://secunia.com/advisories/35379
Broken Link
Vendor Advisory
http://secunia.com/advisories/43068
Broken Link
http://support.apple.com/kb/HT3613
Patch
Vendor Advisory
http://support.apple.com/kb/HT3639
Vendor Advisory
http://www.securityfocus.com/bid/35260
Broken Link
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/35321
Broken Link
Third Party Advisory
VDB Entry
http://www.ubuntu.com/usn/USN-857-1
Third Party Advisory
http://www.vupen.com/english/advisories/2009/1522
Broken Link
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/1621
Broken Link
http://www.vupen.com/english/advisories/2011/0212
Broken Link
https://www.exploit-db.com/exploits/8907
Exploit
Third Party Advisory
VDB Entry
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
Mailing List
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
Broken Link
Mailing List
Patch
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
Mailing List

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*

Версия до 4.0 (исключая)

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 2.2.1 (включая)

Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:11.3:*:*:*:*:*:*:*

EPSS

Процентиль: 93%

0.09268

Низкий

7.5 High

CVSS3

7.1 High

CVSS2

Дефекты

CWE-611

Связанные уязвимости

CVE-2009-1699

CVSS3: 7.5

ubuntu

больше 16 лет назад

CVE-2009-1699

CVSS3: 7.5

debian

больше 16 лет назад

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0 ...

GHSA-q425-6m5x-qp5p

CVSS3: 7.5

github

почти 4 года назад

BDU:2015-04057

fstec

около 11 лет назад

Уязвимости операционной системы Debian GNU/Linux, позволяющие удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации

BDU:2015-04056

fstec

около 11 лет назад

EPSS

Процентиль: 93%

0.09268

Низкий

7.5 High

CVSS3

7.1 High

CVSS2

Дефекты

CWE-611