Vulnerability Description
Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent through a proxy server.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Safari | <= 3.2.1 |
Related Weaknesses (CWE)
References
- http://research.microsoft.com/apps/pubs/default.aspx?id=79323
- http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
- http://www.securityfocus.com/bid/35411
- http://research.microsoft.com/apps/pubs/default.aspx?id=79323
- http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
- http://www.securityfocus.com/bid/35411
FAQ
What is CVE-2009-2072?
CVE-2009-2072 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser...
How severe is CVE-2009-2072?
CVE-2009-2072 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-2072?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Safari.