CVE-2016-4763

MEDIUM

Description

WKWebView in WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly verify X.509 certificates from HTTPS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

References

http://lists.apple.com/archives/security-announce/2016/Sep/msg00007.html

http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html

http://lists.apple.com/archives/security-announce/2016/Sep/msg00012.html

http://www.securityfocus.com/bid/93066

http://www.securitytracker.com/id/1036854

https://support.apple.com/HT207143

https://support.apple.com/HT207157

https://support.apple.com/HT207158

Details

Source: MITRE

Published: 2016-09-25

Updated: 2017-07-30

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 4.9

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 6.8

Severity: MEDIUM

CVSS v3.0

Base Score: 6.8

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Impact Score: 5.2

Exploitability Score: 1.6

Severity: MEDIUM