[Japanese]

JVNDB-2012-000088

Safari vulnerable to local file content disclosure

Overview

Safari contains a vulnerability where a local file may be accessed from remote, which may result in a local file content disclosure.

Masahiro YAMADA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


Apple Inc.
  • Safari prior to 6.0.1

Impact

By opening a specially crafted HTML document as a local file, an arbitrary local file may be obtained from remote even though access from other users is restricted.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

For Windows:
As of October 23, 2012, Safari for Windows which addresses to this issue is not available. Please stop use of Safari for Windows.
Vendor Information

Apple Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-3713
References

  1. JVN : JVN#42676559
  2. National Vulnerability Database (NVD) : CVE-2012-3713
Revision History

[2012/10/23]
  Web page was published