CVE-2024-40794

Description

This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.52%• Percentile: 67%

Techniques & Countermeasures

• CWE-287•Improper Authentication

  When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Systems

• apple•ios and ipados

  ≥ unspecified, < 17.6 | < 17.6

• apple•ipados

  < 17.6

• apple•iphone_os

  < 17.6

• apple•macos

  ≥ unspecified, < 14.6 | < 14.6

• apple•safari

  ≥ unspecified, < 17.6 | < 17.6

References (13)

• https://support.apple.com/en-us/HT214121
• https://support.apple.com/en-us/HT214117
• https://support.apple.com/en-us/HT214119
• http://seclists.org/fulldisclosure/2024/Jul/16
• http://seclists.org/fulldisclosure/2024/Jul/15
• http://seclists.org/fulldisclosure/2024/Jul/18
• https://lists.debian.org/debian-lts-announce/2024/09/msg00006.html
• https://support.apple.com/kb/HT214121
• https://support.apple.com/kb/HT214119
• https://support.apple.com/kb/HT214117
• https://support.apple.com/en-us/120909
• https://support.apple.com/en-us/120911
• https://support.apple.com/en-us/120913