CVE-2015-3754

The private-browsing implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8 does not prevent caching of HTTP authentication credentials, which makes it easier for remote attackers to track users via a crafted web site.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.apple.com/kb/HT205033	Vendor Advisory
http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html	Mailing List Vendor Advisory
http://www.securityfocus.com/bid/76339	Third Party Advisory VDB Entry
http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html	Mailing List Third Party Advisory
http://www.securitytracker.com/id/1033274	Third Party Advisory VDB Entry

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:a:apple:safari::::::::

Information

Published : 2015-08-16 16:59

Updated : 2019-02-07 11:52

NVD link : CVE-2015-3754

Mitre link : CVE-2015-3754

JSON object : View

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Advertisement

Products Affected

apple

safari

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://support.apple.com/kb/HT205033", "name": "https://support.apple.com/kb/HT205033", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html", "name": "APPLE-SA-2015-08-13-1", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "APPLE"}, {"url": "http://www.securityfocus.com/bid/76339", "name": "76339", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html", "name": "openSUSE-SU-2016:0761", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "SUSE"}, {"url": "http://www.securitytracker.com/id/1033274", "name": "1033274", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The private-browsing implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8 does not prevent caching of HTTP authentication credentials, which makes it easier for remote attackers to track users via a crafted web site."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-3754", "ASSIGNER": "product-security@apple.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2015-08-16T23:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.1.8", "versionStartIncluding": "7.0"}, {"cpe23Uri": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.2.8", "versionStartIncluding": "6.0"}, {"cpe23Uri": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "8.0.8", "versionStartIncluding": "8.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-02-07T19:52Z"}