CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
EPSS
Percentile
69.8%
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before
8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the
HTTP Strict Transport Security (HSTS) protection mechanism for Content
Security Policy (CSP) report requests, which allows man-in-the-middle
attackers to obtain sensitive information by sniffing the network or spoof
a report by modifying the client-server data stream.
Author | Note |
---|---|
jdstrand | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8 |
lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
launchpad.net/bugs/cve/CVE-2015-3750
nvd.nist.gov/vuln/detail/CVE-2015-3750
security-tracker.debian.org/tracker/CVE-2015-3750
support.apple.com/kb/HT205030
support.apple.com/kb/HT205033
www.cve.org/CVERecord?id=CVE-2015-3750