Safari vulnerable to local file content disclosure


Safari contains a vulnerability where a local file may be accessed from remote, which may result in a local file content disclosure.

Masahiro YAMADA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products

Apple Inc.
  • Safari prior to 6.0.1


By opening a specially crafted HTML document as a local file, an arbitrary local file may be obtained from remote even though access from other users is restricted.

[Update the software]
Update to the latest version according to the information provided by the developer.

For Windows:
As of October 23, 2012, Safari for Windows which addresses to this issue is not available. Please stop use of Safari for Windows.
Vendor Information

Apple Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-3713

  1. JVN : JVN#42676559
  2. National Vulnerability Database (NVD) : CVE-2012-3713
Revision History

  Web page was published