Vulnerability CVE-2017-13797

Vulnerability Name:

CVE-2017-13797 (CCN-134743)

Assigned:

2017-10-31

Published:

2017-10-31

Updated:

2019-03-08

Summary:

An issue was discovered in certain Apple products. iOS before 11.1 is affected. Safari before 11.0.1 is affected. iCloud before 7.1 on Windows is affected. iTunes before 12.7.1 on Windows is affected. tvOS before 11.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

CVSS v3 Severity:

8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-13797

Source: XF
Type: UNKNOWN
apple-cve201713797-code-exec(134743)

Source: CCN
Type: Packet Storm Security [11-22-2017]
WebKit WebCore::PositionIterator::decrement Use-After-Free

Source: CCN
Type: Apple security document HT208221
About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan

Source: CCN
Type: Apple security document HT208222
About the security content of iOS 11.1

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT208219

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT208222

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT208223

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT208224

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT208225

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [11-22-2017]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
43168

Vulnerable Configuration:

Configuration 1:

cpe:/a:apple:icloud:*:*:*:*:*:*:*:* (Version < 7.1)

OR cpe:/a:apple:itunes:*:*:*:*:*:*:*:* (Version < 12.7.1)

OR cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version < 11.0.1)

OR cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version < 11.1)

OR cpe:/o:apple:tvos:*:*:*:*:*:*:*:* (Version < 11.1)

Configuration CCN 1:

cpe:/a:apple:icloud:7.7::~~~windows~~:*:*:*:*:*

OR cpe:/o:apple:tvos:11.0:*:*:*:*:*:*:*

OR cpe:/o:apple:ios:11:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.artful:def:201713797000	V	CVE-2017-13797 on Ubuntu 17.10 (artful) - medium.	2017-11-12
oval:com.ubuntu.xenial:def:201713797000	V	CVE-2017-13797 on Ubuntu 16.04 LTS (xenial) - medium.	2017-11-12
oval:com.ubuntu.xenial:def:2017137970000000	V	CVE-2017-13797 on Ubuntu 16.04 LTS (xenial) - medium.	2017-11-12

BACK