cbcvebase.
CVE-2017-2369
published 2017-02-20

CVE-2017-2369: An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue…

PriorityP262high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
6.02%
92.4th percentile
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Affected

8 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 10.2.110.2.1
applesafari< 10.0.310.0.3
applesafari
appletvos< 10.1.110.1.1
appletvos
debianwebkit2gtk< webkit2gtk 2.14.4-1 (bookworm)webkit2gtk 2.14.4-1 (bookworm)
webkitgtkwebkitgtk< 2.16.32.16.3

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit triggers type confusion via HTMLKeygenElement by prepending a text node into a shadow tree container obtained from caretRangeFromPoint, then toggling the element's disabled property — look for this JS pattern in web content
  • Vulnerability class is HTMLKeygenElement type confusion in WebKit; monitor for crafted web pages manipulating <keygen> elements combined with shadow DOM / caret range APIs
  • ·Affected versions: iOS before 10.2.1, Safari before 10.0.3, tvOS before 10.1.1 — detections are only relevant against unpatched instances of these products
  • ·Debian WebKitGTK packages are resolved/fixed at version 2.14.4-1 across all tracked suites (bookworm, bullseye, forky, sid, trixie)

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.