Vulnerability CVE-2010-1386

Vulnerability Name:

CVE-2010-1386 (CCN-61244)

Assigned:

2010-03-17

Published:

2010-03-17

Updated:

2011-08-23

Summary:

page/Geolocation.cpp in WebCore in WebKit before r56188 and before 1.2.5 does not properly restrict access to the lastPosition function, which has unspecified impact and remote attack vectors, aka rdar problem 7746357.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Other

References:

Source: MITRE
Type: CNA
CVE-2010-1386

Source: SUSE
Type: UNKNOWN
SUSE-SR:2011:002

Source: SECUNIA
Type: Vendor Advisory
41856

Source: SECUNIA
Type: Vendor Advisory
43068

Source: CONFIRM
Type: UNKNOWN
http://security-tracker.debian.org/tracker/CVE-2010-1386

Source: CONFIRM
Type: UNKNOWN
http://trac.webkit.org/changeset/56188

Source: CCN
Type: WebKit Web site
WebKit

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2011:039

Source: CCN
Type: OSVDB ID: 67295
WebKit WebCore page/Geolocation.cpp lastPosition Function Access Restriction Weakness

Source: BID
Type: UNKNOWN
42500

Source: CCN
Type: BID-42500
WebKit CVE-2010-1386 Information Disclosure Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-1006-1

Source: VUPEN
Type: Vendor Advisory
ADV-2010-2722

Source: VUPEN
Type: Vendor Advisory
ADV-2011-0212

Source: VUPEN
Type: Vendor Advisory
ADV-2011-0552

Source: CCN
Type: WebKit Bugzilla:Bug 36255
Remove Geolocation.lastPosition, no longer in the spec.

Source: CONFIRM
Type: UNKNOWN
https://bugs.webkit.org/show_bug.cgi?id=36255

Source: XF
Type: UNKNOWN
webkit-geolocation-unspecified(61244)

Source: SUSE
Type: SUSE-SR:2010:015
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2011:002
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:apple:webkit:r50173:*:*:*:*:*:*:*

OR cpe:/a:apple:webkit:*:*:*:*:*:*:*:* (Version <= r56187)

Configuration CCN 1:

cpe:/a:apple:webkit:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20101386	V	CVE-2010-1386	2015-11-16

BACK