CVE-2009-1709
Apple Safari SVG Set.targetElement() Memory Corruption Vulnerability
Severity Score
9.3
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Use-after-free vulnerability in the garbage-collection implementation in WebCore in WebKit in Apple Safari before 4.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via an SVG animation element, related to SVG set objects, SVG marker elements, the targetElement attribute, and unspecified "caches."
Vulnerabilidad de uso después de la liberación en la implementación de la recolección de basura en WebCore en WebKit en Apple Safari anteriores a v4.0 que permite a los atacantes remotos ejecutar arbitrariamente código o causar una denegación de servicio (corrupción de memoria dinámica y caída de la aplicación) a través de un elemento de animación SVG, en relación a objetos establecidos SVG, elementos indicadores SVG, el atributo targetElement, y "caches" no especificadas.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists in the garbage collection of JavaScript set elements in WebCore. When an SVG set object is appended to an SVG marker element that is dereferenced, calls to the targetElement attribute will fail to reference count the marker element. When the set element is appended to another object, subsequent calls to the targetElement attribute will result in a heap corruption which can be leveraged to execute arbitrary code under the context of the current user.
*Credits:
Anonymous
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2009-05-20 CVE Reserved
- 2009-06-08 CVE Published
- 2024-08-07 CVE Updated
- 2024-11-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
- CWE-416: Use After Free
CAPEC
References (20)
| URL | Tag | Source |
|---|---|---|
| http://osvdb.org/55013 | Vdb Entry | |
| http://secunia.com/advisories/35576 | Third Party Advisory | |
| http://secunia.com/advisories/36461 | Third Party Advisory | |
| http://secunia.com/advisories/43068 | Third Party Advisory | |
| http://securitytracker.com/id?1022345 | Vdb Entry | |
| http://www.securityfocus.com/bid/35260 | Vdb Entry | |
| http://www.securityfocus.com/bid/35334 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2011/0212 | Vdb Entry | |
| http://www.zerodayinitiative.com/advisories/ZDI-09-034 | X_refsource_misc |
|
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10162 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html | 2018-10-03 | |
| http://support.apple.com/kb/HT3613 | 2018-10-03 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html | 2018-10-03 | |
| http://secunia.com/advisories/35379 | 2018-10-03 | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2010:182 | 2018-10-03 | |
| http://www.redhat.com/support/errata/RHSA-2009-1130.html | 2018-10-03 | |
| http://www.vupen.com/english/advisories/2009/1522 | 2018-10-03 | |
| https://usn.ubuntu.com/823-1 | 2018-10-03 | |
| https://access.redhat.com/security/cve/CVE-2009-1709 | 2009-06-25 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=506246 | 2009-06-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | <= 4.0_beta Search vendor "Apple" for product "Safari" and version " <= 4.0_beta" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 0.8 Search vendor "Apple" for product "Safari" and version "0.8" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 0.9 Search vendor "Apple" for product "Safari" and version "0.9" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.0 Search vendor "Apple" for product "Safari" and version "1.0" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.0.3 Search vendor "Apple" for product "Safari" and version "1.0.3" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.1 Search vendor "Apple" for product "Safari" and version "1.1" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.2 Search vendor "Apple" for product "Safari" and version "1.2" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.3 Search vendor "Apple" for product "Safari" and version "1.3" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.3.1 Search vendor "Apple" for product "Safari" and version "1.3.1" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 1.3.2 Search vendor "Apple" for product "Safari" and version "1.3.2" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 2.0 Search vendor "Apple" for product "Safari" and version "2.0" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 2.0.2 Search vendor "Apple" for product "Safari" and version "2.0.2" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 2.0.4 Search vendor "Apple" for product "Safari" and version "2.0.4" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0 Search vendor "Apple" for product "Safari" and version "3.0" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.2 Search vendor "Apple" for product "Safari" and version "3.0.2" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.3 Search vendor "Apple" for product "Safari" and version "3.0.3" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.4 Search vendor "Apple" for product "Safari" and version "3.0.4" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.1 Search vendor "Apple" for product "Safari" and version "3.1" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.1.1 Search vendor "Apple" for product "Safari" and version "3.1.1" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.1.2 Search vendor "Apple" for product "Safari" and version "3.1.2" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.2.1 Search vendor "Apple" for product "Safari" and version "3.2.1" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.2.3 Search vendor "Apple" for product "Safari" and version "3.2.3" | mac |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | <= 3.2.3 Search vendor "Apple" for product "Safari" and version " <= 3.2.3" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0 Search vendor "Apple" for product "Safari" and version "3.0" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.1 Search vendor "Apple" for product "Safari" and version "3.0.1" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.2 Search vendor "Apple" for product "Safari" and version "3.0.2" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.3 Search vendor "Apple" for product "Safari" and version "3.0.3" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.0.4 Search vendor "Apple" for product "Safari" and version "3.0.4" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.1 Search vendor "Apple" for product "Safari" and version "3.1" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.1.1 Search vendor "Apple" for product "Safari" and version "3.1.1" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.1.2 Search vendor "Apple" for product "Safari" and version "3.1.2" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.2 Search vendor "Apple" for product "Safari" and version "3.2" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.2.1 Search vendor "Apple" for product "Safari" and version "3.2.1" | windows |
Affected
| ||||||
| Apple Search vendor "Apple" | Safari Search vendor "Apple" for product "Safari" | 3.2.2 Search vendor "Apple" for product "Safari" and version "3.2.2" | windows |
Affected
| ||||||