#VU11411 Information disclosure in Apple iOS - CVE-2018-4117


Vulnerability identifier: #VU11411

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-4117

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apple iOS
Operating systems & Components / Operating system

Vendor: Apple Inc.

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to input validation flaw in the WebKit component fetch API. A remote attacker can bypass cross-origin restrictions and obtain potentially sensitive information.

Mitigation
Update to version 11.3.

Vulnerable software versions

Apple iOS: 11.2 - 11.2.6

External links
https://support.apple.com/en-us/HT208693

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for webkit2gtk3
Gentoo update for Chromium, Google Chrome
Gentoo update for WebkitGTK+
Fedora EPEL 7 update for chromium
Fedora 28 update for chromium
Fedora 27 update for chromium
Red Hat update for Google Chrome
OpenSUSE Linux update for Chromium
SUSE Linux update for chromium
Debian update for chromium-browser