CVE-2017-13866
Summary
| CVE | CVE-2017-13866 |
|---|---|
| State | PUBLISHED |
| Assigner | apple |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-12-25 21:29:14 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. |
Risk And Classification
Primary CVSS: v3.0 8.8 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.019800000 probability, percentile 0.837540000 (date 2026-05-14)
Problem Types: CWE-119 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apple | Icloud | All | All | All | All |
| Operating System | Apple | Iphone Os | All | All | All | All |
| Application | Apple | Itunes | All | All | All | All |
| Application | Apple | Safari | All | All | All | All |
| Operating System | Apple | Tvos | All | All | All | All |
| Application | Apple | Webkit | - | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WebkitGTK+: Multiple vulnerabilities (GLSA 201801-09) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| WebKit Multiple Memory Corruption Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| About the security content of iCloud for Windows 7.2 - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Vendor Advisory |
| About the security content of iTunes 12.7.2 for Windows - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Vendor Advisory |
| About the security content of iOS 11.2 - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Vendor Advisory |
| About the security content of Safari 11.0.2 - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Vendor Advisory |
| Apple iTunes Client Certificate Privacy Flaw in Push Notification Service Component Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Third Party Advisory, VDB Entry |
| About the security content of tvOS 11.2 - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Vendor Advisory |
| Apple Safari Multiple Memory Corruption Errors Lets Remote Users Execute Arbitrary Code - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.