Vulnerability Description
WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive information via standard HTTP logging, a related issue to CVE-2010-0660.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Safari | <= 4.0.5 |
| Apple | Webkit | All versions |
| Apple | Mac Os X | 10.5 |
| Apple | Mac Os X Server | 10.5 |
| Microsoft | Windows 7 | All versions |
| Microsoft | Windows Vista | All versions |
| Microsoft | Windows Xp | All versions |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlPatchVendor Advisory
- http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://secunia.com/advisories/40105Vendor Advisory
- http://secunia.com/advisories/41856
- http://secunia.com/advisories/43068
- http://securitytracker.com/id?1024067
- http://support.apple.com/kb/HT4196Vendor Advisory
- http://support.apple.com/kb/HT4225
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:039
- http://www.securityfocus.com/bid/40620Patch
- http://www.ubuntu.com/usn/USN-1006-1
- http://www.vupen.com/english/advisories/2010/1373PatchVendor Advisory
- http://www.vupen.com/english/advisories/2010/2722
- http://www.vupen.com/english/advisories/2011/0212
FAQ
What is CVE-2010-1406?
CVE-2010-1406 is a vulnerability with a CVSS score of 4.3 (MEDIUM). WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances invol...
How severe is CVE-2010-1406?
CVE-2010-1406 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-1406?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Safari, Apple Webkit, Apple Mac Os X, Apple Mac Os X Server, Microsoft Windows 7.