Vulnerability Name:

CVE-2009-2062 (CCN-51202)

Assigned:2009-05-01
Published:2009-05-01
Updated:2017-08-17
Summary:Apple Safari before 3.2.2 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-287
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-2062

Source: CCN
Type: Microsoft Research Web site
Pretty-Bad-Proxy: An Overlooked Adversary in BrowsersÂ’ HTTPS Deployments

Source: MISC
Type: UNKNOWN
http://research.microsoft.com/apps/pubs/default.aspx?id=79323

Source: MISC
Type: UNKNOWN
http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf

Source: CCN
Type: Apple Safari Web site
Safari

Source: CCN
Type: OSVDB ID: 56491
Apple Safari 3xx CONNECT Response Pre-SSL Handshake MiTM Arbitrary Script Execution

Source: CCN
Type: OSVDB ID: 56846
Apple Mac OS X CFNetwork Certificate Warning 302 Redirection Scenario Open Redirect Weakness

Source: BID
Type: UNKNOWN
35412

Source: CCN
Type: BID-35412
Multiple Browsers Web Proxy Redirect Handling Man In The Middle Vulnerability

Source: XF
Type: UNKNOWN
safari-httpconnect-code-execution(51202)

Source: XF
Type: UNKNOWN
safari-httpconnect-code-execution(51202)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apple:safari:0.8:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:0.9:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0:beta:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.0b1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.0b2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.3:85.8:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.3:85.8.1:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.2:312.5:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.2:312.6:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.8:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9.2:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9.3:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3_417.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.4_419.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0_pre:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.0b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.1:beta:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.1b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.2b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3:522.15.5:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4_beta:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.0b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version <= 3.2.1)

    • Configuration CCN 1:
  • cpe:/a:apple:safari:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4_beta:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.1:beta:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0:beta:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.0b1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.0b2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.0b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.2b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.0b:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.3:85.8:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.0.3:85.8.1:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.2:312.5:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.3.2:312.6:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.8:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9.2:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9.3:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.3:417.9.3:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0.4_419.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:2.0_pre:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3:522.15.5:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:0.8:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:0.9:*:*:*:*:*:*:*
  • AND
  • cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.1:*:*:*:x86_64:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apple safari 0.8
    apple safari 0.9
    apple safari 1.0
    apple safari 1.0 beta
    apple safari 1.0 beta2
    apple safari 1.0.0
    apple safari 1.0.0b1
    apple safari 1.0.0b2
    apple safari 1.0.1
    apple safari 1.0.2
    apple safari 1.0.3
    apple safari 1.0.3 85.8
    apple safari 1.0.3 85.8.1
    apple safari 1.1
    apple safari 1.1.0
    apple safari 1.1.1
    apple safari 1.2
    apple safari 1.2.0
    apple safari 1.2.1
    apple safari 1.2.2
    apple safari 1.2.3
    apple safari 1.2.4
    apple safari 1.2.5
    apple safari 1.3
    apple safari 1.3.0
    apple safari 1.3.1
    apple safari 1.3.2
    apple safari 1.3.2 312.5
    apple safari 1.3.2 312.6
    apple safari 2
    apple safari 2.0
    apple safari 2.0.0
    apple safari 2.0.1
    apple safari 2.0.2
    apple safari 2.0.3
    apple safari 2.0.3 417.8
    apple safari 2.0.3 417.9
    apple safari 2.0.3 417.9.2
    apple safari 2.0.3 417.9.3
    apple safari 2.0.3_417.9.3
    apple safari 2.0.4
    apple safari 2.0.4_419.3
    apple safari 2.0_pre
    apple safari 3
    apple safari 3.0
    apple safari 3.0.0
    apple safari 3.0.0b
    apple safari 3.0.1
    apple safari 3.0.1 beta
    apple safari 3.0.1b
    apple safari 3.0.2
    apple safari 3.0.2b
    apple safari 3.0.3
    apple safari 3.0.3 522.15.5
    apple safari 3.0.3b
    apple safari 3.0.4
    apple safari 3.0.4_beta
    apple safari 3.0.4b
    apple safari 3.1
    apple safari 3.1.0
    apple safari 3.1.0b
    apple safari 3.1.1
    apple safari 3.1.2
    apple safari 3.2
    apple safari 3.2.0
    apple safari *
    apple safari 1.2.3
    apple safari 1.2.4
    apple safari 1.2.5
    apple safari 2.0.2
    apple safari 2.0.4
    apple safari 3.0.1
    apple safari 3.0.2
    apple safari 3.0.3
    apple safari 3.0.4_beta
    apple safari 3.1
    apple safari 3.0.1 beta
    apple safari 2.0.3
    apple safari 2.0.1
    apple safari 1.3.1
    apple safari 1.3
    apple safari 1.2.2
    apple safari 1.2.1
    apple safari 1.2
    apple safari 1.1
    apple safari 1.0
    apple safari 3
    apple safari 1.0 beta
    apple safari 1.0 beta2
    apple safari 1.1.1
    apple safari 2
    apple safari 2.0
    apple safari 3.0
    apple safari 3.0.4
    apple safari 3.1.1
    apple safari 3.1.2
    apple safari 3.2
    apple safari 3.2.1
    apple safari 1.0.0
    apple safari 1.0.0b1
    apple safari 1.0.0b2
    apple safari 1.0.1
    apple safari 1.0.2
    apple safari 1.1.0
    apple safari 1.2.0
    apple safari 1.3.0
    apple safari 2.0.0
    apple safari 3.0.0
    apple safari 3.0.0b
    apple safari 3.0.2b
    apple safari 3.0.3b
    apple safari 3.0.4b
    apple safari 3.1.0
    apple safari 3.1.0b
    apple safari 1.0.3
    apple safari 1.0.3 85.8
    apple safari 1.0.3 85.8.1
    apple safari 1.3.2
    apple safari 1.3.2 312.5
    apple safari 1.3.2 312.6
    apple safari 2.0.3 417.8
    apple safari 2.0.3 417.9
    apple safari 2.0.3 417.9.2
    apple safari 2.0.3 417.9.3
    apple safari 2.0.3 417.9.3
    apple safari 2.0.4_419.3
    apple safari 2.0_pre
    apple safari 3.0.3 522.15.5
    apple safari 0.8
    apple safari 0.9
    mandriva linux 2009.0
    mandriva linux 2009.0 -
    mandriva linux 2009.1
    mandriva linux 2009.1