CVE-2016-4591
Publication date 21 July 2016
Last updated 24 July 2024
Ubuntu priority
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 mishandles the location variable, which allows remote attackers to access the local filesystem via unspecified vectors.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| qtwebkit-opensource-src | ||
| 16.04 LTS xenial | Ignored no update available | |
| 14.04 LTS trusty | Not in release | |
| qtwebkit-source | ||
| 16.04 LTS xenial | Ignored no update available | |
| 14.04 LTS trusty | Not in release | |
| webkit | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| webkit2gtk | ||
| 16.04 LTS xenial |
Fixed 2.12.5-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| webkitgtk | ||
| 16.04 LTS xenial | Ignored no update available | |
| 14.04 LTS trusty | Not in release | |
Notes
jdstrand
webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3079-1
- WebKitGTK+ vulnerabilities
- 14 September 2016
Other references
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00004.html
- https://support.apple.com/HT206900
- https://support.apple.com/HT206902
- https://support.apple.com/HT206905
- https://webkitgtk.org/security/WSA-2016-0005.html
- https://www.cve.org/CVERecord?id=CVE-2016-4591