ID CVE-2009-1690
Summary Use-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers."
References
Vulnerable Configurations
  • cpe:2.3:a:apple:safari:3.1.1:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.1:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.2:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.2:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.3.2:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.3.2:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:2.0:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:2.0:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:0.9:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:0.9:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.3:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.3:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.0:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.0:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:2.0.2:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:2.0.2:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:2.0.4:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:2.0.4:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.1:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.1:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.3.1:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.3.1:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.3:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.3:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.4:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.4:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.2:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.2:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.0b1:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.0b1:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:2.0.4:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:2.0.4:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.0:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.0:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.1:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.1:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.3:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.3:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.4:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.4:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.0:-:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.0:-:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.1:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.1:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.0.3:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.0.3:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:1.3:*:mac:*:*:*:*:*
    cpe:2.3:a:apple:safari:1.3:*:mac:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.3:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.3:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.4:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.4:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.0b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.0b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.1b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.1b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.2b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.2b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.3b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.3b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.4b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.4b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.0b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.0b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.1b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.1b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.2b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.2b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.0b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.0b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.1b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.1b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.2b:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.2b:-:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.1:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.1:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.2:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.2:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.1:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.1:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2.2:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2.2:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.1.2:*:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.1.2:*:windows:*:*:*:*:*
  • cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
    cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.3:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.3:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.5:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.5:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.0:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.0:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.1:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.1:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.0:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.0:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.0:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.0:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.1:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.1:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.2:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.2:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.1:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.1:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.0:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.0:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.4:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.4:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.2:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.2:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.2:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.2:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.2:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.2:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.3:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.3:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.1:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.1:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.2:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.2:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.5:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.5:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.1:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.1:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.4:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.4:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.2.1:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.2.1:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.2.1:-:ipodtouch:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.2.1:-:ipodtouch:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1.0:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1.0:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.0.1:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.0.1:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.2:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.2:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.1:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:1.0.2:-:iphone:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:1.0.2:-:iphone:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:iphone_os:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:apple:iphone_os:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:google:chrome:1.0.154.53:*:*:*:*:*:*:*
    cpe:2.3:a:google:chrome:1.0.154.53:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 26-09-2019 - 17:05)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2013-04-29T04:10:42.458-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Use-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers."
family unix
id oval:org.mitre.oval:def:11009
status accepted
submitted 2010-07-09T03:56:16-04:00
title Use-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers."
version 30
redhat via4
rpms
  • kdelibs-6:3.3.1-14.el4
  • kdelibs-6:3.5.4-22.el5_3
  • kdelibs-apidocs-6:3.5.4-22.el5_3
  • kdelibs-debuginfo-6:3.3.1-14.el4
  • kdelibs-debuginfo-6:3.5.4-22.el5_3
  • kdelibs-devel-6:3.3.1-14.el4
  • kdelibs-devel-6:3.5.4-22.el5_3
refmap via4
apple
  • APPLE-SA-2009-06-08-1
  • APPLE-SA-2009-06-17-1
bid 35260
confirm
debian DSA-1950
fedora
  • FEDORA-2009-8020
  • FEDORA-2009-8039
  • FEDORA-2009-8046
  • FEDORA-2009-8049
idefense 20090608 Multiple Vendor WebKit Error Handling Use After Free Vulnerability
mandriva MDVSA-2009:330
osvdb 54990
sectrack 1022345
secunia
  • 35379
  • 36057
  • 36062
  • 36790
  • 37746
  • 43068
suse SUSE-SR:2011:002
ubuntu
  • USN-822-1
  • USN-836-1
  • USN-857-1
vupen
  • ADV-2009-1522
  • ADV-2009-1621
  • ADV-2011-0212
Last major update 26-09-2019 - 17:05
Published 10-06-2009 - 14:30
Last modified 26-09-2019 - 17:05
Back to Top