Vulnerability CVE-2010-0044

Vulnerability Name:

CVE-2010-0044 (CCN-56830)

Assigned:

2009-12-15

Published:

2010-03-11

Updated:

2017-09-19

Summary:

PubSub in Apple Safari before 4.0.5 does not properly implement use of the Accept Cookies preference to block cookies, which makes it easier for remote web servers to track users by setting a cookie in a (1) RSS or (2) Atom feed.
Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html

'PubSub
CVE-ID: CVE-2010-0044
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact: Visiting or updating a feed may result in a cookie being
set, even if Safari is configured to block cookies
Description: An implementation issue exists in the handling of
cookies set by RSS and Atom feeds. Visiting or updating a feed may
result in a cookie being set, even if Safari is configured to block
cookies via the "Accept Cookies" preference. This update addresses
the issue by respecting the preference while updating or viewing
feeds.'
Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html

'Safari 4.0.5 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/'

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-16

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2010-0044

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2010-03-11-1

Source: OSVDB
Type: UNKNOWN
62937

Source: CCN
Type: SA38932
Apple Safari Multiple Vulnerabilities

Source: CCN
Type: Apple Web site
About the security content of Safari 4.0.5

Source: CONFIRM
Type: Vendor Advisory
http://support.apple.com/kb/HT4070

Source: CCN
Type: OSVDB ID: 62937
Apple Safari PubSub Accept Cookies Implementation Weakness User Tracking Information Disclosure

Source: BID
Type: Patch
38671

Source: CCN
Type: BID-38671
RETIRED: Apple Safari Prior to 4.0.5 Multiple Security Vulnerabilities

Source: BID
Type: Patch
38675

Source: CCN
Type: BID-38675
Apple Safari Prior to 4.0.5 Configuration Bypass Weakness

Source: XF
Type: UNKNOWN
safari-pubsub-security-bypass(56830)

Source: XF
Type: UNKNOWN
safari-pubsub-security-bypass(56830)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:7051

Vulnerable Configuration:

Configuration 1:

cpe:/a:apple:safari:4.0:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.0b:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version <= 4.0.4)

Configuration CCN 1:

cpe:/a:apple:safari:4:beta:windows:*:*:*:*:*

OR cpe:/a:apple:safari:4.0:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.1:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_7:*:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:4.0.4:*:*:*:*:*:*:*

AND

cpe:/o:apple:mac_os_x:10.4.11:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.11:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.5.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.6.1:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:7051	V	Apple Safari Prior to 4.0.5 Configuration Bypass Weakness	2013-11-11
oval:com.ubuntu.cosmic:def:201000440000000	V	CVE-2010-0044 on Ubuntu 18.10 (cosmic) - low.	2010-03-15
oval:com.ubuntu.artful:def:20100044000	V	CVE-2010-0044 on Ubuntu 17.10 (artful) - low.	2010-03-15
oval:com.ubuntu.trusty:def:20100044000	V	CVE-2010-0044 on Ubuntu 14.04 LTS (trusty) - low.	2010-03-15
oval:com.ubuntu.bionic:def:201000440000000	V	CVE-2010-0044 on Ubuntu 18.04 LTS (bionic) - low.	2010-03-15
oval:com.ubuntu.bionic:def:20100044000	V	CVE-2010-0044 on Ubuntu 18.04 LTS (bionic) - low.	2010-03-15
oval:com.ubuntu.xenial:def:20100044000	V	CVE-2010-0044 on Ubuntu 16.04 LTS (xenial) - low.	2010-03-15
oval:com.ubuntu.xenial:def:201000440000000	V	CVE-2010-0044 on Ubuntu 16.04 LTS (xenial) - low.	2010-03-15
oval:com.ubuntu.cosmic:def:20100044000	V	CVE-2010-0044 on Ubuntu 18.10 (cosmic) - low.	2010-03-15
oval:com.ubuntu.disco:def:201000440000000	V	CVE-2010-0044 on Ubuntu 19.04 (disco) - low.	2010-03-15
oval:com.ubuntu.precise:def:20100044000	V	CVE-2010-0044 on Ubuntu 12.04 LTS (precise) - low.	2010-03-15

BACK