CVE-2016-4583 : WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 all

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from an unintended web site via a timing attack involving an SVG document.

Published 2016-07-22 02:59:06

Updated 2025-04-12 10:46:41

Source Apple Inc.

View at NVD, CVE.org

Products affected by CVE-2016-4583

Apple » Webkit » Version: N/A
cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Safari
When used together with: Apple » Iphone Os
When used together with: Apple » Tvos
Webkitgtk » Webkitgtk+
Versions before (<) 2.12.2
cpe:2.3:a:webkitgtk:webkitgtk\+:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-4583

EPSS FAQ

0.74%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 71 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-4583

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.6	LOW	AV:N/AC:H/Au:N/C:P/I:N/A:N	4.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
3.1	LOW	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N	1.6	1.4	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2016-4583

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4583

https://support.apple.com/HT206905

About the security content of tvOS 9.2.2 - Apple Support
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1036343

Apple Safari Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information, Deny Service, Execute Arbitrary Code, and Spoof User Interface Elements - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url
https://support.apple.com/HT206900

About the security content of Safari 9.1.2 - Apple Support
Vendor Advisory

CVEs referencing this url
https://support.apple.com/HT206902

About the security content of iOS 9.3.3 - Apple Support
Vendor Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/138502/WebKitGTK-SOP-Bypass-Information-Disclosure.html

WebKitGTK+ SOP Bypass / Information Disclosure ≈ Packet Storm
Third Party Advisory;VDB Entry

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/archive/1/539295/100/0/threaded

SecurityFocus
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/91830

Apple iOS/tvOS/Safari Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2016/Jul/msg00004.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-4583

Products affected by CVE-2016-4583

Exploit prediction scoring system (EPSS) score for CVE-2016-4583

CVSS scores for CVE-2016-4583

CWE ids for CVE-2016-4583

References for CVE-2016-4583