JVNDB-2007-000727

[Japanese]
JVNDB-2007-000727
Safari allows access from HTTP to HTTPS
Overview
Apple Safari contains a vulnerability that allows a remote attacker to access HTTPS content via an HTTP session. Safari is a default web browser installed in Mac OS X and iPhone. Safari contains a vulnerability that allows a remote attacker to access web page contents protected by SSL/TLS from an HTTP page in the same domain.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 4.0 (Medium) [IPA Score] Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
Affected Products

Apple Inc. Safari 3.0.3 and earlier for Mac OS X, Windows XP / Vista Apple Mac OS X v10.4 - v10.4.10 iPhone v1.1.1 before

Impact
A remote attacker could obtain or change the web page contents protected by SSL/TLS from an HTTP page in the same domain.
Solution
[Update the Software] Apply the latest updates provided by the vendor. For more information, refer to the vendor's website.
Vendor Information
Apple Inc. Apple Security Updates : About the security content of the iPhone 1.1.1 Update Apple Security Updates : About the security content of Mac OS X 10.4.11 and Security Update 2007-008 Apple Security Updates : About the security content of Safari 3 Beta Update 3.0.4
CWE (What is CWE?)
Improper Input Validation(CWE-20) [NVD Evaluation]
CVE (What is CVE?)
CVE-2007-4671
References
JVN : JVN#79013771 National Vulnerability Database (NVD) : CVE-2007-4671 Secunia Advisory : SA26983 SecurityFocus : 25852 ISS X-Force Database : 36862 SecurityTracker : 1018752 FrSIRT Advisories : FrSIRT/ADV-2007-3287
Revision History
[2008/05/21] Web page published


Date Public	2007/10/01
Date First Published	2008/05/21
Date Last Updated	2008/05/21

Safari allows access from HTTP to HTTPS