CVE-2009-2816: CSRF
First published: Fri Sep 25 2009(Updated: )
A security flaw was found in the WebKit's Cross-Origin Resource Sharing (CORS) implementation. Quoting exact details from the WebKit advisory: Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request, to determine if the origin server for the resource being accessed will allow the resource to be shared. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can result in unexpected actions being initiated on the cross-origin site without user consent. This issue is addressed by dropping custom HTTP headers from preflight requests. Upstream bug: ------------- <a href="https://bugs.webkit.org/show_bug.cgi?id=28446">https://bugs.webkit.org/show_bug.cgi?id=28446</a> Upstream patch: --------------- <a href="http://trac.webkit.org/changeset/47494">http://trac.webkit.org/changeset/47494</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| iStyle @cosme iPhone OS | <4.0 | |
| Apple Mobile Safari | <4.0.4 | |
| Google Chrome (Trace Event) | <3.0.195.33 | |
| SUSE Linux | =11.2 | |
| SUSE Linux | =11.3 | |
| Fedora | =11 | |
| Fedora | =12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://support.apple.com/kb/HT3949
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html
- https://bugzilla.redhat.com/show_bug.cgi?id=525789
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00545.html
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00549.html
- http://secunia.com/advisories/37346
- http://www.vupen.com/english/advisories/2009/3217
- http://www.securityfocus.com/bid/36997
- http://secunia.com/advisories/37358
- http://www.vupen.com/english/advisories/2009/3233
- http://secunia.com/advisories/37397
- http://osvdb.org/59940
- http://osvdb.org/59967
- http://www.securitytracker.com/id?1023165
- http://secunia.com/advisories/37393
- http://support.apple.com/kb/HT4225
- http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
- http://secunia.com/advisories/43068
- http://www.vupen.com/english/advisories/2011/0212
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54239
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6516
- https://bugs.webkit.org/show_bug.cgi?id=28446
- http://trac.webkit.org/changeset/47494
- http://threatpost.com/en_us/blogs/apple-patches-critical-safari-vulnerabilities-111109
- http://admin.fedoraproject.org/updates/qt-4.5.3-9.fc12
Frequently Asked Questions
What is the severity of CVE-2009-2816?
CVE-2009-2816 is classified as a moderate severity vulnerability due to its potential impact on cross-origin resource sharing.
How do I fix CVE-2009-2816?
To mitigate CVE-2009-2816, update your browser or operating system to the latest version provided by the vendor.
Which versions are affected by CVE-2009-2816?
CVE-2009-2816 affects older versions of Apple Safari, Google Chrome, Apple iPhone OS, and specific releases of openSUSE and Fedora.
What types of applications are impacted by CVE-2009-2816?
CVE-2009-2816 primarily impacts web applications that utilize cross-origin resource sharing (CORS) features.
Can CVE-2009-2816 lead to data breaches?
Yes, CVE-2009-2816 can potentially expose sensitive data by allowing unauthorized access to resources from different origins.
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-2816
- agent/trending
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/apple
- canonical/istyle @cosme iphone os
- canonical/apple mobile safari
- vendor/google
- canonical/google chrome (trace event)
- vendor/opensuse
- canonical/suse linux
- version/suse linux/11.2
- version/suse linux/11.3
- vendor/fedoraproject
- canonical/fedora
- version/fedora/11
- version/fedora/12