CVE-2017-7161 — Command Injection in Apple Safari

CWE-77 — Command Injection8 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.9%

top 24.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Safari Debian Webkit2gtk Canonical Ubuntu Linux

Timeline

PublishedApr 3

Latest updateMay 13

Description

An issue was discovered in certain Apple products. Safari before 11.0.2 is affected. The issue involves the "WebKit Web Inspector" component. It allows remote attackers to execute arbitrary code via special characters that trigger command injection.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDapple/safari< 11.0.2

▶Appleapple/safari11.0.2

▶debiandebian/webkit2gtk< webkit2gtk 2.18.6-1 (bookworm)

Also affects: Ubuntu Linux 16.04, 17.10

🔴Vulnerability Details

GHSA

GHSA-fqwp-42q8-85r2: An issue was discovered in certain Apple products↗2022-05-13

▶

OSV

CVE-2017-7161: An issue was discovered in certain Apple products↗2018-04-03

▶

OSV

webkit2gtk vulnerabilities↗2018-01-30

▶

📋Vendor Advisories

Ubuntu

WebKitGTK+ vulnerabilities↗2018-01-30

▶

Apple

CVE-2017-7161: Safari 11.0.2↗2017-12-06

▶

Debian

CVE-2017-7161: webkit2gtk - An issue was discovered in certain Apple products. Safari before 11.0.2 is affec...↗2017

▶

💬Community

Bugzilla

RCE via "copy as curl" on mac↗2019-01-06

▶