CVE-2009-2072 — Improper Authentication in Apple Safari

CWE-287 — Improper Authentication2 documents2 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 87.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Safari

Timeline

PublishedJun 15

Latest updateMay 2

Description

Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent through a proxy server.

CVSS vector

AV:A/AC:M/C:P/I:P/A:PExploitability: 5.5 | Impact: 6.4

Affected Packages1 packages

▶NVDapple/safari3.2.1+53

🔴Vulnerability Details

GHSA

GHSA-g3x9-82h5-gj65: Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to sp↗2022-05-02

▶