{"api_version":"1","generated_at":"2026-04-25T02:27:59+00:00","cve":"CVE-2017-13866","urls":{"html":"https://cve.report/CVE-2017-13866","api":"https://cve.report/api/cve/CVE-2017-13866.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-13866","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-13866"},"summary":{"title":"CVE-2017-13866","description":"An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.","state":"PUBLIC","assigner":"product-security@apple.com","published_at":"2017-12-25 21:29:00","updated_at":"2019-03-22 19:19:00"},"problem_types":["CWE-119"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/201801-09","name":"GLSA-201801-09","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"WebkitGTK+: Multiple vulnerabilities (GLSA 201801-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1040013","name":"1040013","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Apple iTunes Client Certificate Privacy Flaw in Push Notification Service Component Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/HT208334","name":"https://support.apple.com/HT208334","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"About the security content of iOS 11.2 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/HT208328","name":"https://support.apple.com/HT208328","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"About the security content of iCloud for Windows 7.2 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/HT208326","name":"https://support.apple.com/HT208326","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"About the security content of iTunes 12.7.2 for Windows - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/HT208324","name":"https://support.apple.com/HT208324","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"About the security content of Safari 11.0.2 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/102181","name":"102181","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"WebKit Multiple Memory Corruption Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://support.apple.com/HT208327","name":"https://support.apple.com/HT208327","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"About the security content of tvOS 11.2 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1040012","name":"1040012","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Apple Safari Multiple Memory Corruption Errors Lets Remote Users Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-13866","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-13866","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"icloud","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"icloud","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"iphone_os","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"iphone_os","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"itunes","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"itunes","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"safari","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"safari","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"tvos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"tvos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"webkit","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"webkit","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"13866","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2017-13866","qid":"501279","title":"Alpine Linux Security Update for webkit2gtk"},{"cve":"CVE-2017-13866","qid":"505500","title":"Alpine Linux Security Update for webkit2gtk"},{"cve":"CVE-2017-13866","qid":"710302","title":"Gentoo Linux WebkitGTK+ Multiple Vulnerabilities (GLSA 201801-09)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"product-security@apple.com","ID":"CVE-2017-13866","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"102181","refsource":"BID","url":"http://www.securityfocus.com/bid/102181"},{"name":"1040013","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1040013"},{"name":"https://support.apple.com/HT208327","refsource":"CONFIRM","url":"https://support.apple.com/HT208327"},{"name":"1040012","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1040012"},{"name":"https://support.apple.com/HT208334","refsource":"CONFIRM","url":"https://support.apple.com/HT208334"},{"name":"https://support.apple.com/HT208324","refsource":"CONFIRM","url":"https://support.apple.com/HT208324"},{"name":"https://support.apple.com/HT208326","refsource":"CONFIRM","url":"https://support.apple.com/HT208326"},{"name":"GLSA-201801-09","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201801-09"},{"name":"https://support.apple.com/HT208328","refsource":"CONFIRM","url":"https://support.apple.com/HT208328"}]}},"nvd":{"publishedDate":"2017-12-25 21:29:00","lastModifiedDate":"2019-03-22 19:19:00","problem_types":["CWE-119"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","versionEndExcluding":"11.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*","versionEndExcluding":"11.0.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*","versionEndExcluding":"11.2","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*","versionEndExcluding":"7.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*","versionEndExcluding":"12.7.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"13866","Ordinal":"111291","Title":"CVE-2017-13866","CVE":"CVE-2017-13866","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"13866","Ordinal":"1","NoteData":"An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"13866","Ordinal":"2","NoteData":"2017-12-25","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"13866","Ordinal":"3","NoteData":"2018-01-08","Type":"Other","Title":"Modified"}]}}}