Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-4311 (GCVE-0-2018-4311)
Vulnerability from cvelistv5 – Published: 2019-04-03 17:43 – Updated: 2024-08-05 05:11- Cross-origin SecurityErrors includes the accessed frame’s origin
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | iOS, watchOS, Safari, iTunes for Windows, iCloud for Windows |
Affected:
Versions prior to: iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:11:22.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209141"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209140"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209106"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209108"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209109"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iOS, watchOS, Safari, iTunes for Windows, iCloud for Windows",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions prior to: iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-origin SecurityErrors includes the accessed frame\u2019s origin",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-03T17:43:14",
"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
"shortName": "apple"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209141"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209140"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209106"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209108"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209109"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "product-security@apple.com",
"ID": "CVE-2018-4311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iOS, watchOS, Safari, iTunes for Windows, iCloud for Windows",
"version": {
"version_data": [
{
"version_value": "Versions prior to: iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-origin SecurityErrors includes the accessed frame\u2019s origin"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT209141",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209141"
},
{
"name": "https://support.apple.com/kb/HT209140",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209140"
},
{
"name": "https://support.apple.com/kb/HT209106",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209106"
},
{
"name": "https://support.apple.com/kb/HT209108",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209108"
},
{
"name": "https://support.apple.com/kb/HT209109",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209109"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
"assignerShortName": "apple",
"cveId": "CVE-2018-4311",
"datePublished": "2019-04-03T17:43:14",
"dateReserved": "2018-01-02T00:00:00",
"dateUpdated": "2024-08-05T05:11:22.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-4311\",\"sourceIdentifier\":\"product-security@apple.com\",\"published\":\"2019-04-03T18:29:06.673\",\"lastModified\":\"2024-11-21T04:07:10.270\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.\"},{\"lang\":\"es\",\"value\":\"El problema se abord\u00f3 eliminando la informaci\u00f3n de origen. El problema afectaba a iOS en versiones anteriores a la 12, watchOS en versiones anteriores a la 5, Safari en versiones anteriores a la 12, iTunes para Windows en versiones anteriores a la 12.9 y iCloud para Windows en versiones anteriores a la 7.7.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12\",\"matchCriteriaId\":\"3D250753-EC40-4DEB-B1A7-B2E2E872D705\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.0\",\"matchCriteriaId\":\"37A59AD6-A000-48BE-A575-D1A39DCB0D88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.0\",\"matchCriteriaId\":\"397E2910-7F1A-4576-B28D-E5796DE20CC8\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.7\",\"matchCriteriaId\":\"E92A7FC9-12AE-4E07-BA72-0A4075119426\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.9\",\"matchCriteriaId\":\"48FFD64E-C6DE-41EA-A70C-3E25F133901F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://support.apple.com/kb/HT209106\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209108\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209109\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209140\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209141\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209106\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209108\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209109\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209140\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209141\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
VAR-201904-1403
Vulnerability from variot - Updated: 2025-12-22 23:15The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. plural Apple There is a vulnerability related to information disclosure because the product does not properly handle origin information.Information may be obtained and information may be altered. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. An attacker could exploit this vulnerability to determine the source of an access frame. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201812-04
https://security.gentoo.org/
Severity: Normal Title: WebkitGTK+: Multiple vulnerabilities Date: December 02, 2018 Bugs: #667892 ID: 201812-04
Synopsis
Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to arbitrary code execution.
Background
WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.22.0 >= 2.22.0
Description
Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All WebkitGTK+ users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.22.0"
References
[ 1 ] CVE-2018-4191 https://nvd.nist.gov/vuln/detail/CVE-2018-4191 [ 2 ] CVE-2018-4197 https://nvd.nist.gov/vuln/detail/CVE-2018-4197 [ 3 ] CVE-2018-4207 https://nvd.nist.gov/vuln/detail/CVE-2018-4207 [ 4 ] CVE-2018-4208 https://nvd.nist.gov/vuln/detail/CVE-2018-4208 [ 5 ] CVE-2018-4209 https://nvd.nist.gov/vuln/detail/CVE-2018-4209 [ 6 ] CVE-2018-4210 https://nvd.nist.gov/vuln/detail/CVE-2018-4210 [ 7 ] CVE-2018-4212 https://nvd.nist.gov/vuln/detail/CVE-2018-4212 [ 8 ] CVE-2018-4213 https://nvd.nist.gov/vuln/detail/CVE-2018-4213 [ 9 ] CVE-2018-4299 https://nvd.nist.gov/vuln/detail/CVE-2018-4299 [ 10 ] CVE-2018-4306 https://nvd.nist.gov/vuln/detail/CVE-2018-4306 [ 11 ] CVE-2018-4309 https://nvd.nist.gov/vuln/detail/CVE-2018-4309 [ 12 ] CVE-2018-4311 https://nvd.nist.gov/vuln/detail/CVE-2018-4311 [ 13 ] CVE-2018-4312 https://nvd.nist.gov/vuln/detail/CVE-2018-4312 [ 14 ] CVE-2018-4314 https://nvd.nist.gov/vuln/detail/CVE-2018-4314 [ 15 ] CVE-2018-4315 https://nvd.nist.gov/vuln/detail/CVE-2018-4315 [ 16 ] CVE-2018-4316 https://nvd.nist.gov/vuln/detail/CVE-2018-4316 [ 17 ] CVE-2018-4317 https://nvd.nist.gov/vuln/detail/CVE-2018-4317 [ 18 ] CVE-2018-4318 https://nvd.nist.gov/vuln/detail/CVE-2018-4318 [ 19 ] CVE-2018-4319 https://nvd.nist.gov/vuln/detail/CVE-2018-4319 [ 20 ] CVE-2018-4323 https://nvd.nist.gov/vuln/detail/CVE-2018-4323 [ 21 ] CVE-2018-4328 https://nvd.nist.gov/vuln/detail/CVE-2018-4328 [ 22 ] CVE-2018-4358 https://nvd.nist.gov/vuln/detail/CVE-2018-4358 [ 23 ] CVE-2018-4359 https://nvd.nist.gov/vuln/detail/CVE-2018-4359 [ 24 ] CVE-2018-4361 https://nvd.nist.gov/vuln/detail/CVE-2018-4361
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201812-04
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us.
License
Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2018-9-24-4 Additional information for APPLE-SA-2018-9-17-1 iOS 12
iOS 12 addresses the following:
Accounts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local app may be able to read a persistent account identifier Description: This issue was addressed with improved entitlements. CVE-2018-4322: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc.
Auto Unlock Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to access local users AppleIDs Description: A validation issue existed in the entitlement verification. CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. Entry added September 24, 2018
Bluetooth Available for: iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. CVE-2018-5383: Lior Neumann and Eli Biham
CoreMedia Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An app may be able to learn information about the current camera view before being granted camera access Description: A permissions issue existed. CVE-2018-4356: an anonymous researcher
Crash Reporter Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4333: Brandon Azad Entry added September 24, 2018
IOMobileFrameBuffer Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4335: Brandon Azad
iTunes Store Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to spoof password prompts in the iTunes Store Description: An input validation issue was addressed with improved input validation. CVE-2018-4305: Jerry Decime
Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An input validation issue existed in the kernel. CVE-2018-4363: Ian Beer of Google Project Zero
Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4336: Brandon Azad CVE-2018-4344: The UK's National Cyber Security Centre (NCSC) Entry added September 24, 2018
Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover a user's deleted messages Description: A consistency issue existed in the handling of application snapshots. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU)
Notes Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover a user's deleted notes Description: A consistency issue existed in the handling of application snapshots. CVE-2018-4352: an anonymous researcher
Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover websites a user has visited Description: A consistency issue existed in the handling of application snapshots. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU)
Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may be unable to delete browsing history items Description: Clearing a history item may not clear visits with redirect chains. CVE-2018-4329: Hugo S. Diaz (coldpointblue)
SafariViewController Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4362: Jun Kokatsu (@shhnjk)
Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to exfiltrate autofilled data in Safari Description: A logic issue was addressed with improved state management. CVE-2018-4307: Rafay Baloch of Pakistan Telecommunications Authority
Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: This issue was addressed by removing RC4. CVE-2016-1777: Pepi Zawodsky
Status Bar Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to determine the last used app from the lock screen Description: A logic issue was addressed with improved restrictions. CVE-2018-4325: Brian Adeloye
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team Entry added September 24, 2018
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4319: John Pettitt of Google Entry added September 24, 2018
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2018-4345: an anonymous researcher Entry added September 24, 2018
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Unexpected interaction causes an ASSERT failure Description: A memory corruption issue was addressed with improved validation. CVE-2018-4191: found by OSS-Fuzz Entry added September 24, 2018
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Cross-origin SecurityErrors includes the accessed frame's origin Description: The issue was addressed by removing origin information. CVE-2018-4311: Erling Alf Ellingsen (@steike) Entry added September 24, 2018
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to execute scripts in the context of another website Description: A cross-site scripting issue existed in Safari. CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative Entry added September 24, 2018
WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Unexpected interaction causes an ASSERT failure Description: A memory consumption issue was addressed with improved memory handling. CVE-2018-4361: found by Google OSS-Fuzz Entry added September 24, 2018
Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization.
configd We would like to acknowledge Sabri Haddouche (@pwnsdx) of Wire Swiss GmbH for their assistance.
Core Data We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.
Exchange ActiveSync We would like to acknowledge Jesse Thompson of University of Wisconsin-Madison for their assistance.
Mail We would like to acknowledge Alessandro Avagliano of Rocket Internet SE, Gunnar Diepenbruck, and Zbyszek A>>A3Akiewski for their assistance.
MediaRemote We would like to acknowledge Brandon Azad for their assistance.
Safari We would like to acknowledge Marcel Manz of SIMM-Comm GmbH and Vlad Galbin for their assistance.
Security We would like to acknowledge Christoph Sinai, Daniel Dudek (@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak) of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson Ding, and an anonymous researcher for their assistance.
SQLite We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.
Status Bar We would like to acknowledge Ju Zhu of Meituan and Moony Li and Lilang Wu of Trend Micro for their assistance.
WebKit We would like to acknowledge Cary Hartline, Hanming Zhang from 360 Vuclan team, Tencent Keen Security Lab working with Trend Micro's Zero Day Initiative, and Zach Malone of CA Technologies for their assistance.
Installation note:
This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
- Navigate to Settings
- Select General
- Select About. The version after applying this update will be "iOS 12".
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlupFUMACgkQeC9tht7T K3Gpbg/9HBJDw9agGt5ZwLBzc5njAETI5Hxk0LDn5PjvmXpxD0kB/GcuH5vODNfi TOUNox5KfIIaD0HB1qo5zq4zdh1VmnCNKALJK0wY0U3KaACRghu0xTjpbXsYcYQy 4aGdt+UuiPBqsMkSUrakba1JHcYWrpc4GfUaxIUZw+aFdA0G2oUOYAN5w3a3I01A aVY1Qzq93MdUCjdr3ASXn4gdMtZeYAze4dXCkmvOXS8CPG4xok2C/MdwaTRKh1ex S74YkM+Oz+mAG+3uebwexeHWLUbFHKBr4KXu2DFvpJ4JxNu57SOqwEDDfauVOCHb 13YFf+i+Zh5g9SODQJFXDXk6Cl6MlTuEsLcr1YX8xqmSLilaFJTiz7nxxAG0Qctb Z80wHbzQeGaGQwEy1A99X7X33PupzyaJFiK/4F8O5neo18LliunU01Tzk16sgYFt 4Jg/e5+EkcGf1TJiCTMzIPDVsMBDRcTV9KMBUjr+LmbBJ5T8XKdg5nuEURKT3QFQ h05+La/AFn+sJ8FFTK0WQmvM96vKQELyBBC9Npa7n1riCPHldPt9+vQ3wVwo5MD4 SdGfACevV+Qf8G1A064fM74nrJOnoqLowQiCtMSOpMx3PWwX0Pzw2SVyaFG3cLAv 221+OCYYcniG7UPdjoFv7kObGFEUC9vt1TS76VfolzKWd/fcakg= =JOUe -----END PGP SIGNATURE----- . CVE-2018-4407: Kevin Backhouse of Semmle Ltd.
Alternatively, on your watch, select "My Watch > General > About".
Installation note:
Safari 12 may be obtained from the Mac App Store. ----------------------------------------------------------------------- WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007
Date reported : September 26, 2018 Advisory ID : WSA-2018-0007 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0007.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0007.html CVE identifiers : CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4311, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361.
Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.
CVE-2018-4207 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure.
CVE-2018-4208 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure.
CVE-2018-4209 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure.
CVE-2018-4210 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction with indexing types caused a failure. An array indexing issue existed in the handling of a function in JavaScriptCore.
CVE-2018-4212 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure.
CVE-2018-4213 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure.
CVE-2018-4191 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure.
CVE-2018-4197 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4299 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Samuel GroI2 (saelo) working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4306 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4309 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to an anonymous researcher working with Trend Micro's Zero Day Initiative. A malicious website may be able to execute scripts in the context of another website. A cross-site scripting issue existed in WebKit.
CVE-2018-4311 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Erling Alf Ellingsen (@steike). Cross-origin SecurityErrors includes the accessed frameas origin.
CVE-2018-4312 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4314 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4315 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4316 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved state management.
CVE-2018-4317 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4318 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2018-4319 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to John Pettitt of Google. A malicious website may cause unexepected cross-origin behavior. A cross-origin issue existed with iframe elements.
CVE-2018-4323 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4328 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4358 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4359 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Samuel GroA (@5aelo). Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4361 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. A memory corruption issue was addressed with improved memory handling.
We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.
Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.
The WebKitGTK+ and WPE WebKit team, September 26, 2018
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1403",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "safari",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "5.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.7"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.0"
},
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.9"
},
{
"model": "icloud",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "for windows 7.7 (windows 7 or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (ipad air or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (iphone 5s or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (ipod touch first 6 generation )"
},
{
"model": "itunes",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "for windows 12.9 (windows 7 or later )"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (macos high sierra 10.13.6)"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (macos mojave 10.14)"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (macos sierra 10.12.6)"
},
{
"model": "watchos",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "5 (apple watch series 1 or later )"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apple:icloud",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:iphone_os",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:itunes",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:safari",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:watchos",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple",
"sources": [
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "149514"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150113"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149722"
}
],
"trust": 0.6
},
"cve": "CVE-2018-4311",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2018-4311",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-134342",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2018-4311",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-4311",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-4311",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-1166",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-134342",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-4311",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134342"
},
{
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. plural Apple There is a vulnerability related to information disclosure because the product does not properly handle origin information.Information may be obtained and information may be altered. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. An attacker could exploit this vulnerability to determine the source of an access frame. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201812-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: WebkitGTK+: Multiple vulnerabilities\n Date: December 02, 2018\n Bugs: #667892\n ID: 201812-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in WebKitGTK+, the worst of\nwhich may lead to arbitrary code execution. \n\nBackground\n==========\n\nWebKitGTK+ is a full-featured port of the WebKit rendering engine,\nsuitable for projects requiring any kind of web integration, from\nhybrid HTML/CSS applications to full-fledged web browsers. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-libs/webkit-gtk \u003c 2.22.0 \u003e= 2.22.0 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in WebKitGTK+. Please\nreview the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll WebkitGTK+ users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-libs/webkit-gtk-2.22.0\"\n\nReferences\n==========\n\n[ 1 ] CVE-2018-4191\n https://nvd.nist.gov/vuln/detail/CVE-2018-4191\n[ 2 ] CVE-2018-4197\n https://nvd.nist.gov/vuln/detail/CVE-2018-4197\n[ 3 ] CVE-2018-4207\n https://nvd.nist.gov/vuln/detail/CVE-2018-4207\n[ 4 ] CVE-2018-4208\n https://nvd.nist.gov/vuln/detail/CVE-2018-4208\n[ 5 ] CVE-2018-4209\n https://nvd.nist.gov/vuln/detail/CVE-2018-4209\n[ 6 ] CVE-2018-4210\n https://nvd.nist.gov/vuln/detail/CVE-2018-4210\n[ 7 ] CVE-2018-4212\n https://nvd.nist.gov/vuln/detail/CVE-2018-4212\n[ 8 ] CVE-2018-4213\n https://nvd.nist.gov/vuln/detail/CVE-2018-4213\n[ 9 ] CVE-2018-4299\n https://nvd.nist.gov/vuln/detail/CVE-2018-4299\n[ 10 ] CVE-2018-4306\n https://nvd.nist.gov/vuln/detail/CVE-2018-4306\n[ 11 ] CVE-2018-4309\n https://nvd.nist.gov/vuln/detail/CVE-2018-4309\n[ 12 ] CVE-2018-4311\n https://nvd.nist.gov/vuln/detail/CVE-2018-4311\n[ 13 ] CVE-2018-4312\n https://nvd.nist.gov/vuln/detail/CVE-2018-4312\n[ 14 ] CVE-2018-4314\n https://nvd.nist.gov/vuln/detail/CVE-2018-4314\n[ 15 ] CVE-2018-4315\n https://nvd.nist.gov/vuln/detail/CVE-2018-4315\n[ 16 ] CVE-2018-4316\n https://nvd.nist.gov/vuln/detail/CVE-2018-4316\n[ 17 ] CVE-2018-4317\n https://nvd.nist.gov/vuln/detail/CVE-2018-4317\n[ 18 ] CVE-2018-4318\n https://nvd.nist.gov/vuln/detail/CVE-2018-4318\n[ 19 ] CVE-2018-4319\n https://nvd.nist.gov/vuln/detail/CVE-2018-4319\n[ 20 ] CVE-2018-4323\n https://nvd.nist.gov/vuln/detail/CVE-2018-4323\n[ 21 ] CVE-2018-4328\n https://nvd.nist.gov/vuln/detail/CVE-2018-4328\n[ 22 ] CVE-2018-4358\n https://nvd.nist.gov/vuln/detail/CVE-2018-4358\n[ 23 ] CVE-2018-4359\n https://nvd.nist.gov/vuln/detail/CVE-2018-4359\n[ 24 ] CVE-2018-4361\n https://nvd.nist.gov/vuln/detail/CVE-2018-4361\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201812-04\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. \n\nLicense\n=======\n\nCopyright 2018 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2018-9-24-4 Additional information for\nAPPLE-SA-2018-9-17-1 iOS 12\n\niOS 12 addresses the following:\n\nAccounts\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A local app may be able to read a persistent account\nidentifier\nDescription: This issue was addressed with improved entitlements. \nCVE-2018-4322: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. \n\nAuto Unlock\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A malicious application may be able to access local users\nAppleIDs\nDescription: A validation issue existed in the entitlement\nverification. \nCVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. \nEntry added September 24, 2018\n\nBluetooth\nAvailable for: iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7,\niPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation,\n12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro,\n9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation\nImpact: An attacker in a privileged network position may be able to\nintercept Bluetooth traffic\nDescription: An input validation issue existed in Bluetooth. \nCVE-2018-5383: Lior Neumann and Eli Biham\n\nCoreMedia\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An app may be able to learn information about the current\ncamera view before being granted camera access\nDescription: A permissions issue existed. \nCVE-2018-4356: an anonymous researcher\n\nCrash Reporter\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An application may be able to read restricted memory\nDescription: A validation issue was addressed with improved input\nsanitization. \nCVE-2018-4333: Brandon Azad\nEntry added September 24, 2018\n\nIOMobileFrameBuffer\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An application may be able to read restricted memory\nDescription: A validation issue was addressed with improved input\nsanitization. \nCVE-2018-4335: Brandon Azad\n\niTunes Store\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An attacker in a privileged network position may be able to\nspoof password prompts in the iTunes Store\nDescription: An input validation issue was addressed with improved\ninput validation. \nCVE-2018-4305: Jerry Decime\n\nKernel\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An application may be able to read restricted memory\nDescription: An input validation issue existed in the kernel. \nCVE-2018-4363: Ian Beer of Google Project Zero\n\nKernel\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4336: Brandon Azad\nCVE-2018-4344: The UK\u0027s National Cyber Security Centre (NCSC)\nEntry added September 24, 2018\n\nMessages\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A local user may be able to discover a user\u0027s deleted\nmessages\nDescription: A consistency issue existed in the handling of\napplication snapshots. \nCVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu\nof Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye,\nMehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug\nKarakaya of Kaliptus Medical Organization, Vinodh Swami of Western\nGovernor\u0027s University (WGU)\n\nNotes\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A local user may be able to discover a user\u0027s deleted notes\nDescription: A consistency issue existed in the handling of\napplication snapshots. \nCVE-2018-4352: an anonymous researcher\n\nSafari\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A local user may be able to discover websites a user has\nvisited\nDescription: A consistency issue existed in the handling of\napplication snapshots. \nCVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu\nof Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye,\nMehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug\nKarakaya of Kaliptus Medical Organization, Vinodh Swami of Western\nGovernor\u0027s University (WGU)\n\nSafari\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A user may be unable to delete browsing history items\nDescription: Clearing a history item may not clear visits with\nredirect chains. \nCVE-2018-4329: Hugo S. Diaz (coldpointblue)\n\nSafariViewController\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Visiting a malicious website may lead to address bar spoofing\nDescription: An inconsistent user interface issue was addressed with\nimproved state management. \nCVE-2018-4362: Jun Kokatsu (@shhnjk)\n\nSecurity\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A malicious website may be able to exfiltrate autofilled data\nin Safari\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2018-4307: Rafay Baloch of Pakistan Telecommunications Authority\n\nSecurity\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An attacker may be able to exploit weaknesses in the RC4\ncryptographic algorithm\nDescription: This issue was addressed by removing RC4. \nCVE-2016-1777: Pepi Zawodsky\n\nStatus Bar\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A person with physical access to an iOS device may be able to\ndetermine the last used app from the lock screen\nDescription: A logic issue was addressed with improved restrictions. \nCVE-2018-4325: Brian Adeloye\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan\nTeam\nEntry added September 24, 2018\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: Multiple memory corruption issues were addressed with\nimproved memory handling. \nCVE-2018-4319: John Pettitt of Google\nEntry added September 24, 2018\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2018-4345: an anonymous researcher\nEntry added September 24, 2018\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Unexpected interaction causes an ASSERT failure\nDescription: A memory corruption issue was addressed with improved\nvalidation. \nCVE-2018-4191: found by OSS-Fuzz\nEntry added September 24, 2018\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Cross-origin SecurityErrors includes the accessed frame\u0027s\norigin\nDescription: The issue was addressed by removing origin information. \nCVE-2018-4311: Erling Alf Ellingsen (@steike)\nEntry added September 24, 2018\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: A malicious website may be able to execute scripts in the\ncontext of another website\nDescription: A cross-site scripting issue existed in Safari. \nCVE-2018-4309: an anonymous researcher working with Trend Micro\u0027s\nZero Day Initiative\nEntry added September 24, 2018\n\nWebKit\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: Unexpected interaction causes an ASSERT failure\nDescription: A memory consumption issue was addressed with improved\nmemory handling. \nCVE-2018-4361: found by Google OSS-Fuzz\nEntry added September 24, 2018\n\nWi-Fi\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod\ntouch 6th generation\nImpact: An application may be able to read restricted memory\nDescription: A validation issue was addressed with improved input\nsanitization. \n\nconfigd\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) of Wire Swiss\nGmbH for their assistance. \n\nCore Data\nWe would like to acknowledge Andreas Kurtz (@aykay) of NESO Security\nLabs GmbH for their assistance. \n\nExchange ActiveSync\nWe would like to acknowledge Jesse Thompson of University of\nWisconsin-Madison for their assistance. \n\nMail\nWe would like to acknowledge Alessandro Avagliano of Rocket\nInternet SE, Gunnar Diepenbruck, and Zbyszek A\u003e\u003eA3Akiewski for their\nassistance. \n\nMediaRemote\nWe would like to acknowledge Brandon Azad for their assistance. \n\nSafari\nWe would like to acknowledge Marcel Manz of SIMM-Comm GmbH and Vlad\nGalbin for their assistance. \n\nSecurity\nWe would like to acknowledge Christoph Sinai, Daniel Dudek\n(@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak)\nof ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of\nShapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson\nDing, and an anonymous researcher for their assistance. \n\nSQLite\nWe would like to acknowledge Andreas Kurtz (@aykay) of NESO Security\nLabs GmbH for their assistance. \n\nStatus Bar\nWe would like to acknowledge Ju Zhu of Meituan and Moony Li and\nLilang Wu of Trend Micro for their assistance. \n\nWebKit\nWe would like to acknowledge Cary Hartline, Hanming Zhang from 360\nVuclan team, Tencent Keen Security Lab working with Trend Micro\u0027s\nZero Day Initiative, and Zach Malone of CA Technologies for their\nassistance. \n\nInstallation note:\n\nThis update is available through iTunes and Software Update on your\niOS device, and will not appear in your computer\u0027s Software Update\napplication, or in the Apple Downloads site. Make sure you have an\nInternet connection and have installed the latest version of iTunes\nfrom https://www.apple.com/itunes/\n\niTunes and Software Update on the device will automatically check\nApple\u0027s update server on its weekly schedule. When an update is\ndetected, it is downloaded and the option to be installed is\npresented to the user when the iOS device is docked. We recommend\napplying the update immediately if possible. Selecting Don\u0027t Install\nwill present the option the next time you connect your iOS device. \n\nThe automatic update process may take up to a week depending on the\nday that iTunes or the device checks for updates. You may manually\nobtain the update via the Check for Updates button within iTunes, or\nthe Software Update on your device. \n\nTo check that the iPhone, iPod touch, or iPad has been updated:\n\n* Navigate to Settings\n* Select General\n* Select About. The version after applying this update\nwill be \"iOS 12\". \n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlupFUMACgkQeC9tht7T\nK3Gpbg/9HBJDw9agGt5ZwLBzc5njAETI5Hxk0LDn5PjvmXpxD0kB/GcuH5vODNfi\nTOUNox5KfIIaD0HB1qo5zq4zdh1VmnCNKALJK0wY0U3KaACRghu0xTjpbXsYcYQy\n4aGdt+UuiPBqsMkSUrakba1JHcYWrpc4GfUaxIUZw+aFdA0G2oUOYAN5w3a3I01A\naVY1Qzq93MdUCjdr3ASXn4gdMtZeYAze4dXCkmvOXS8CPG4xok2C/MdwaTRKh1ex\nS74YkM+Oz+mAG+3uebwexeHWLUbFHKBr4KXu2DFvpJ4JxNu57SOqwEDDfauVOCHb\n13YFf+i+Zh5g9SODQJFXDXk6Cl6MlTuEsLcr1YX8xqmSLilaFJTiz7nxxAG0Qctb\nZ80wHbzQeGaGQwEy1A99X7X33PupzyaJFiK/4F8O5neo18LliunU01Tzk16sgYFt\n4Jg/e5+EkcGf1TJiCTMzIPDVsMBDRcTV9KMBUjr+LmbBJ5T8XKdg5nuEURKT3QFQ\nh05+La/AFn+sJ8FFTK0WQmvM96vKQELyBBC9Npa7n1riCPHldPt9+vQ3wVwo5MD4\nSdGfACevV+Qf8G1A064fM74nrJOnoqLowQiCtMSOpMx3PWwX0Pzw2SVyaFG3cLAv\n221+OCYYcniG7UPdjoFv7kObGFEUC9vt1TS76VfolzKWd/fcakg=\n=JOUe\n-----END PGP SIGNATURE-----\n. \nCVE-2018-4407: Kevin Backhouse of Semmle Ltd. \n\nAlternatively, on your watch, select \"My Watch \u003e General \u003e About\". \n\nInstallation note:\n\nSafari 12 may be obtained from the Mac App Store. -----------------------------------------------------------------------\nWebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007\n------------------------------------------------------------------------\n\nDate reported : September 26, 2018\nAdvisory ID : WSA-2018-0007\nWebKitGTK+ Advisory URL : \nhttps://webkitgtk.org/security/WSA-2018-0007.html\nWPE WebKit Advisory URL : \nhttps://wpewebkit.org/security/WSA-2018-0007.html\nCVE identifiers : CVE-2018-4207, CVE-2018-4208, CVE-2018-4209,\n CVE-2018-4210, CVE-2018-4212, CVE-2018-4213,\n CVE-2018-4191, CVE-2018-4197, CVE-2018-4299,\n CVE-2018-4306, CVE-2018-4309, CVE-2018-4311,\n CVE-2018-4312, CVE-2018-4314, CVE-2018-4315,\n CVE-2018-4316, CVE-2018-4317, CVE-2018-4318,\n CVE-2018-4319, CVE-2018-4323, CVE-2018-4328,\n CVE-2018-4358, CVE-2018-4359, CVE-2018-4361. \n\nSeveral vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. \n\nCVE-2018-4207\n Versions affected: WebKitGTK+ before 2.20.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. \n\nCVE-2018-4208\n Versions affected: WebKitGTK+ before 2.20.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. \n\nCVE-2018-4209\n Versions affected: WebKitGTK+ before 2.20.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. \n\nCVE-2018-4210\n Versions affected: WebKitGTK+ before 2.20.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction with indexing types caused a failure. An\n array indexing issue existed in the handling of a function in\n JavaScriptCore. \n\nCVE-2018-4212\n Versions affected: WebKitGTK+ before 2.20.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. \n\nCVE-2018-4213\n Versions affected: WebKitGTK+ before 2.20.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. \n\nCVE-2018-4191\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. \n\nCVE-2018-4197\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4299\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Samuel GroI2 (saelo) working with Trend Micro\u0027s Zero Day\n Initiative. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4306\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4309\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to an anonymous researcher working with Trend Micro\u0027s Zero\n Day Initiative. \n A malicious website may be able to execute scripts in the context of\n another website. A cross-site scripting issue existed in WebKit. \n\nCVE-2018-4311\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Erling Alf Ellingsen (@steike). \n Cross-origin SecurityErrors includes the accessed frameas origin. \n\nCVE-2018-4312\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4314\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4315\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4316\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan\n Team. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. A memory corruption issue was addressed with\n improved state management. \n\nCVE-2018-4317\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4318\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. \n\nCVE-2018-4319\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to John Pettitt of Google. \n A malicious website may cause unexepected cross-origin behavior. A\n cross-origin issue existed with iframe elements. \n\nCVE-2018-4323\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4328\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Ivan Fratric of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4358\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to @phoenhex team (@bkth_ @5aelo @_niklasb) working with\n Trend Micro\u0027s Zero Day Initiative. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4359\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Samuel GroA (@5aelo). \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4361\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to Google OSS-Fuzz. \n Unexpected interaction causes an ASSERT failure. A memory corruption\n issue was addressed with improved memory handling. \n\n\nWe recommend updating to the latest stable versions of WebKitGTK+ and\nWPE WebKit. It is the best way to ensure that you are running safe\nversions of WebKit. Please check our websites for information about the\nlatest stable releases. \n\nFurther information about WebKitGTK+ and WPE WebKit security advisories\ncan be found at: https://webkitgtk.org/security.html or\nhttps://wpewebkit.org/security/. \n\nThe WebKitGTK+ and WPE WebKit team,\nSeptember 26, 2018\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-4311"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "VULHUB",
"id": "VHN-134342"
},
{
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "150560"
},
{
"db": "PACKETSTORM",
"id": "149514"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150113"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149605"
},
{
"db": "PACKETSTORM",
"id": "149722"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-4311",
"trust": 3.4
},
{
"db": "JVN",
"id": "JVNVU92800088",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU93341447",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1166",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-134342",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-4311",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150115",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150560",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149514",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149511",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150113",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149513",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149605",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149722",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134342"
},
{
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "150560"
},
{
"db": "PACKETSTORM",
"id": "149514"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150113"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149605"
},
{
"db": "PACKETSTORM",
"id": "149722"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"id": "VAR-201904-1403",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-134342"
}
],
"trust": 0.01
},
"last_update_date": "2025-12-22T23:15:21.550000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT209141",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209141"
},
{
"title": "HT209106",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209106"
},
{
"title": "HT209108",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209108"
},
{
"title": "HT209109",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209109"
},
{
"title": "HT209140",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209140"
},
{
"title": "HT209106",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209106"
},
{
"title": "HT209108",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209108"
},
{
"title": "HT209109",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209109"
},
{
"title": "HT209140",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209140"
},
{
"title": "HT209141",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209141"
},
{
"title": "Multiple Apple product WebKit Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85200"
},
{
"title": "Ubuntu Security Notice: webkit2gtk vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3781-1"
},
{
"title": "BleepingComputer",
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/apple-releases-security-updates-for-ios-and-icloud-fixes-passcode-bypass/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134342"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4311"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209106"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209108"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209109"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209140"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209141"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4319"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4191"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4299"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4311"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu93341447/index.html"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu92800088/index.html"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4323"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4318"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4361"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4309"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4315"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4197"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4316"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4359"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4317"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4306"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4358"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4312"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4328"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4314"
},
{
"trust": 0.6,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.6,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4345"
},
{
"trust": 0.2,
"url": "https://support.apple.com/ht204283"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4126"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4360"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4347"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4208"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4213"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4212"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4209"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4210"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4207"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4307"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4336"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4344"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4313"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1777"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4329"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://seclists.org/fulldisclosure/2018/sep/45"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/3781-1/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4412"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4414"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/glsa/201812-04"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://www.apple.com/itunes/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4338"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4322"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4335"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4325"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4333"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4321"
},
{
"trust": 0.1,
"url": "https://www.apple.com/itunes/download/"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht204641"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4203"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4401"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4383"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4343"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4340"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4354"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4399"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4395"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4331"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4341"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4337"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4363"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4195"
},
{
"trust": 0.1,
"url": "https://www.tencent.com)"
},
{
"trust": 0.1,
"url": "https://wpewebkit.org/security/."
},
{
"trust": 0.1,
"url": "https://wpewebkit.org/security/wsa-2018-0007.html"
},
{
"trust": 0.1,
"url": "https://webkitgtk.org/security.html"
},
{
"trust": 0.1,
"url": "https://webkitgtk.org/security/wsa-2018-0007.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134342"
},
{
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "150560"
},
{
"db": "PACKETSTORM",
"id": "149514"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150113"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149605"
},
{
"db": "PACKETSTORM",
"id": "149722"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-134342"
},
{
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "150560"
},
{
"db": "PACKETSTORM",
"id": "149514"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150113"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149605"
},
{
"db": "PACKETSTORM",
"id": "149722"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-03T00:00:00",
"db": "VULHUB",
"id": "VHN-134342"
},
{
"date": "2019-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"date": "2018-10-31T16:10:39",
"db": "PACKETSTORM",
"id": "150115"
},
{
"date": "2018-12-03T21:06:30",
"db": "PACKETSTORM",
"id": "150560"
},
{
"date": "2018-09-25T16:28:22",
"db": "PACKETSTORM",
"id": "149514"
},
{
"date": "2018-09-25T16:20:49",
"db": "PACKETSTORM",
"id": "149511"
},
{
"date": "2018-10-31T16:10:19",
"db": "PACKETSTORM",
"id": "150113"
},
{
"date": "2018-09-25T16:25:47",
"db": "PACKETSTORM",
"id": "149513"
},
{
"date": "2018-10-01T17:13:20",
"db": "PACKETSTORM",
"id": "149605"
},
{
"date": "2018-10-09T16:58:43",
"db": "PACKETSTORM",
"id": "149722"
},
{
"date": "2018-09-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"date": "2019-04-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"date": "2019-04-03T18:29:06.673000",
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-08T00:00:00",
"db": "VULHUB",
"id": "VHN-134342"
},
{
"date": "2019-04-08T00:00:00",
"db": "VULMON",
"id": "CVE-2018-4311"
},
{
"date": "2020-07-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-1166"
},
{
"date": "2019-04-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014962"
},
{
"date": "2024-11-21T04:07:10.270000",
"db": "NVD",
"id": "CVE-2018-4311"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Apple Information disclosure vulnerability in products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014962"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-1166"
}
],
"trust": 0.6
}
}
GSD-2018-4311
Vulnerability from gsd - Updated: 2023-12-13 01:22{
"GSD": {
"alias": "CVE-2018-4311",
"description": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.",
"id": "GSD-2018-4311",
"references": [
"https://www.suse.com/security/cve/CVE-2018-4311.html",
"https://ubuntu.com/security/CVE-2018-4311"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-4311"
],
"details": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.",
"id": "GSD-2018-4311",
"modified": "2023-12-13T01:22:28.239088Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "product-security@apple.com",
"ID": "CVE-2018-4311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iOS, watchOS, Safari, iTunes for Windows, iCloud for Windows",
"version": {
"version_data": [
{
"version_value": "Versions prior to: iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-origin SecurityErrors includes the accessed frame\u2019s origin"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT209141",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209141"
},
{
"name": "https://support.apple.com/kb/HT209140",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209140"
},
{
"name": "https://support.apple.com/kb/HT209106",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209106"
},
{
"name": "https://support.apple.com/kb/HT209108",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209108"
},
{
"name": "https://support.apple.com/kb/HT209109",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209109"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.9",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "product-security@apple.com",
"ID": "CVE-2018-4311"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT209141",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209141"
},
{
"name": "https://support.apple.com/kb/HT209140",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209140"
},
{
"name": "https://support.apple.com/kb/HT209109",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209109"
},
{
"name": "https://support.apple.com/kb/HT209108",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209108"
},
{
"name": "https://support.apple.com/kb/HT209106",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209106"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2
}
},
"lastModifiedDate": "2019-04-08T14:07Z",
"publishedDate": "2019-04-03T18:29Z"
}
}
}
FKIE_CVE-2018-4311
Vulnerability from fkie_nvd - Published: 2019-04-03 18:29 - Updated: 2024-11-21 04:07{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D250753-EC40-4DEB-B1A7-B2E2E872D705",
"versionEndExcluding": "12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37A59AD6-A000-48BE-A575-D1A39DCB0D88",
"versionEndExcluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "397E2910-7F1A-4576-B28D-E5796DE20CC8",
"versionEndExcluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92A7FC9-12AE-4E07-BA72-0A4075119426",
"versionEndExcluding": "7.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48FFD64E-C6DE-41EA-A70C-3E25F133901F",
"versionEndExcluding": "12.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7."
},
{
"lang": "es",
"value": "El problema se abord\u00f3 eliminando la informaci\u00f3n de origen. El problema afectaba a iOS en versiones anteriores a la 12, watchOS en versiones anteriores a la 5, Safari en versiones anteriores a la 12, iTunes para Windows en versiones anteriores a la 12.9 y iCloud para Windows en versiones anteriores a la 7.7."
}
],
"id": "CVE-2018-4311",
"lastModified": "2024-11-21T04:07:10.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-03T18:29:06.673",
"references": [
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209106"
},
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209108"
},
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209109"
},
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209140"
},
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209141"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209108"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209141"
}
],
"sourceIdentifier": "product-security@apple.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CNVD-2018-24563
Vulnerability from cnvd - Published: 2018-12-04厂商已发布漏洞修复程序,请及时关注更新: https://support.apple.com/en-us/HT209140
| Name | ['Apple iOS <12', 'Apple watchOS <5', 'Apple iTunes for Windows <12.9', 'Apple tvOS <12', 'Apple Safari <12'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-4311"
}
},
"description": "Apple iOS\u7b49\u90fd\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Apple iOS\u662f\u4e3a\u79fb\u52a8\u8bbe\u5907\u6240\u5f00\u53d1\u7684\u4e00\u5957\u64cd\u4f5c\u7cfb\u7edf\uff1bSafari\u662f\u4e00\u6b3eWeb\u6d4f\u89c8\u5668\uff0c\u662fMac OS X\u548ciOS\u64cd\u4f5c\u7cfb\u7edf\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\u3002iTunes for Windows\u662f\u4e00\u6b3e\u57fa\u4e8eWindows\u5e73\u53f0\u7684\u5a92\u4f53\u64ad\u653e\u5668\u5e94\u7528\u7a0b\u5e8f\u3002WebKit\u662f\u5176\u4e2d\u7684\u4e00\u4e2aWeb\u6d4f\u89c8\u5668\u5f15\u64ce\u7ec4\u4ef6\u3002\n\n\u591a\u6b3eApple\u4ea7\u54c1\u4e2d\u7684WebKit\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"discovererName": "Erling Alf Ellingsen (@steike)",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.apple.com/en-us/HT209140",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-24563",
"openTime": "2018-12-04",
"patchDescription": "Apple iOS\u7b49\u90fd\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Apple iOS\u662f\u4e3a\u79fb\u52a8\u8bbe\u5907\u6240\u5f00\u53d1\u7684\u4e00\u5957\u64cd\u4f5c\u7cfb\u7edf\uff1bSafari\u662f\u4e00\u6b3eWeb\u6d4f\u89c8\u5668\uff0c\u662fMac OS X\u548ciOS\u64cd\u4f5c\u7cfb\u7edf\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\u3002iTunes for Windows\u662f\u4e00\u6b3e\u57fa\u4e8eWindows\u5e73\u53f0\u7684\u5a92\u4f53\u64ad\u653e\u5668\u5e94\u7528\u7a0b\u5e8f\u3002WebKit\u662f\u5176\u4e2d\u7684\u4e00\u4e2aWeb\u6d4f\u89c8\u5668\u5f15\u64ce\u7ec4\u4ef6\u3002\r\n\r\n\u591a\u6b3eApple\u4ea7\u54c1\u4e2d\u7684WebKit\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "\u591a\u6b3eApple\u4ea7\u54c1WebKit\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff08CNVD-2018-24563\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Apple iOS \u003c12",
"Apple watchOS \u003c5",
"Apple iTunes for Windows \u003c12.9",
"Apple tvOS \u003c12",
"Apple Safari \u003c12"
]
},
"referenceLink": "https://support.apple.com/en-us/HT209140",
"serverity": "\u9ad8",
"submitTime": "2018-09-26",
"title": "\u591a\u6b3eApple\u4ea7\u54c1WebKit\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff08CNVD-2018-24563\uff09"
}
GHSA-8XVX-25F3-W9X7
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.
{
"affected": [],
"aliases": [
"CVE-2018-4311"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-03T18:29:00Z",
"severity": "HIGH"
},
"details": "The issue was addressed by removing origin information. This issue affected versions prior to iOS 12, watchOS 5, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.",
"id": "GHSA-8xvx-25f3-w9x7",
"modified": "2022-05-14T01:11:29Z",
"published": "2022-05-14T01:11:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4311"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209108"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209109"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209140"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
CERTFR-2018-AVI-474
Vulnerability from certfr_avis - Published: 2018-10-09 - Updated: 2018-10-09
De multiples vulnérabilités ont été découvertes dans Apple iCloud. Elles permettent à un attaquant de provoquer une exécution de code arbitraire, un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
None| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "iCloud versions 7.6 et ant\u00e9rieures pour Windows",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-4359",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4359"
},
{
"name": "CVE-2018-4361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4361"
},
{
"name": "CVE-2018-4328",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4328"
},
{
"name": "CVE-2018-4319",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4319"
},
{
"name": "CVE-2018-4299",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4299"
},
{
"name": "CVE-2018-4323",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4323"
},
{
"name": "CVE-2018-4315",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4315"
},
{
"name": "CVE-2018-4317",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4317"
},
{
"name": "CVE-2018-4318",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4318"
},
{
"name": "CVE-2018-4316",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4316"
},
{
"name": "CVE-2018-4309",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4309"
},
{
"name": "CVE-2018-4191",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4191"
},
{
"name": "CVE-2018-4358",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4358"
},
{
"name": "CVE-2018-4306",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4306"
},
{
"name": "CVE-2018-4312",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4312"
},
{
"name": "CVE-2018-4197",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4197"
},
{
"name": "CVE-2018-4345",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4345"
},
{
"name": "CVE-2018-4311",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4311"
},
{
"name": "CVE-2018-4314",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4314"
}
],
"initial_release_date": "2018-10-09T00:00:00",
"last_revision_date": "2018-10-09T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-474",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-10-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Apple iCloud. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire,\nun contournement de la politique de s\u00e9curit\u00e9 et une injection de code\nindirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple iCloud",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209141 du 8 octobre 2018",
"url": "https://support.apple.com/fr-fr/HT209141"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.