CVE-2009-2816 — MEDIUM (6.8)

Q: How severe is CVE-2009-2816?

CVE-2009-2816 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-2816?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Safari, Google Chrome, Apple Iphone Os, Opensuse Opensuse, Fedoraproject Fedora.

Vulnerability Description

The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Apple	Safari	< 4.0.4
Google	Chrome	< 3.0.195.33
Apple	Iphone Os	< 4.0
Opensuse	Opensuse	11.2
Fedoraproject	Fedora	11

Related Weaknesses (CWE)

CWE-352

References

http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.htmlMailing ListPatchVendor Advisory
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlMailing ListVendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlThird Party Advisory
http://osvdb.org/59940Broken Link
http://osvdb.org/59967Broken Link
http://secunia.com/advisories/37346Third Party Advisory
http://secunia.com/advisories/37358Third Party Advisory
http://secunia.com/advisories/37393Third Party Advisory
http://secunia.com/advisories/37397Third Party Advisory
http://secunia.com/advisories/43068Third Party Advisory
http://support.apple.com/kb/HT3949PatchVendor Advisory
http://support.apple.com/kb/HT4225Vendor Advisory
http://www.securityfocus.com/bid/36997Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id?1023165Third Party AdvisoryVDB Entry
http://www.vupen.com/english/advisories/2009/3217Vendor Advisory

FAQ

What is CVE-2009-2816?

CVE-2009-2816 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS requ...

How severe is CVE-2009-2816?

CVE-2009-2816 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-2816?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Safari, Google Chrome, Apple Iphone Os, Opensuse Opensuse, Fedoraproject Fedora.