CVE-2017-7064 : An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iClo

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. The issue involves the "WebKit" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.

Published 2017-07-20 16:29:02

Updated 2019-05-10 19:19:46

Source Apple Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Exploit prediction scoring system (EPSS) score for CVE-2017-7064

Probability of exploitation activity in the next 30 days: 0.16%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 51 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-7064

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-7064

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-7064

https://support.apple.com/HT207928

About the security content of iTunes 12.6.2 for Windows - Apple Support
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1038950

Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, Spoof URLs, Conduct Cross-Site Scripting Attacks, Bypass Security, and Obtain Potentially Sensitive information and Let
Third Party Advisory;VDB Entry

CVEs referencing this url
https://support.apple.com/HT207921

About the security content of Safari 10.1.2 - Apple Support
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/99890

Apple iTunes/iCloud/Safari/iOS Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://www.exploit-db.com/exploits/42375/

WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy
Exploit;Third Party Advisory;VDB Entry
https://support.apple.com/HT207923

About the security content of iOS 10.3.3 - Apple Support
Vendor Advisory

CVEs referencing this url
https://support.apple.com/HT207927

About the security content of iCloud for Windows 6.2.2 - Apple Support
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2017-7064

Apple » Safari
Versions up to, including, (<=) 10.1.1
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Matching versions
Apple » Itunes
Versions up to, including, (<=) 12.6.1
cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Apple » Iphone Os
Versions up to, including, (<=) 10.3.2
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions
Apple » Icloud
Versions up to, including, (<=) 6.2.1
cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Vulnerability Details : CVE-2017-7064

Exploit prediction scoring system (EPSS) score for CVE-2017-7064

CVSS scores for CVE-2017-7064

CWE ids for CVE-2017-7064

References for CVE-2017-7064

Products affected by CVE-2017-7064