CVE-2011-3845 - Vulnerability Details - OpenCVE

Use-after-free vulnerability in Apple Safari 5.1.2, when a plug-in with a blocking function is installed, allows user-assisted remote attackers to execute arbitrary code via a crafted web page that is accessed during user interaction with the plug-in, leading to improper coordination between an API call and the plug-in unloading functionality, as demonstrated by the Adobe Flash and RealPlayer plug-ins.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Safari

Configuration 1 [-]

cpe:2.3:a:apple:safari:5.1.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/79849
http://secunia.com/advisories/45758
http://www.securityfocus.com/bid/52325
https://exchange.xforce.ibmcloud.com/vulnerabilities/73713

History

No history.

MITRE

Status: PUBLISHED

Assigner: flexera

Published: 2012-03-08T02:00:00

Updated: 2024-08-06T23:46:03.256Z

Reserved: 2011-09-26T00:00:00

Link: CVE-2011-3845

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-03-08T04:15:02.650

Modified: 2025-04-11T00:51:21.963

Link: CVE-2011-3845

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-03-07T00:00:00", "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in Apple Safari 5.1.2, when a plug-in with a blocking function is installed, allows user-assisted remote attackers to execute arbitrary code via a crafted web page that is accessed during user interaction with the plug-in, leading to improper coordination between an API call and the plug-in unloading functionality, as demonstrated by the Adobe Flash and RealPlayer plug-ins."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T18:57:02", "orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab", "shortName": "flexera"}, "references": [{"name": "safari-plugin-code-execution(73713)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73713"}, {"name": "45758", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/45758"}, {"name": "79849", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/79849"}, {"name": "52325", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/52325"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "PSIRT-CNA@flexerasoftware.com", "ID": "CVE-2011-3845", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use-after-free vulnerability in Apple Safari 5.1.2, when a plug-in with a blocking function is installed, allows user-assisted remote attackers to execute arbitrary code via a crafted web page that is accessed during user interaction with the plug-in, leading to improper coordination between an API call and the plug-in unloading functionality, as demonstrated by the Adobe Flash and RealPlayer plug-ins."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "safari-plugin-code-execution(73713)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73713"}, {"name": "45758", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/45758"}, {"name": "79849", "refsource": "OSVDB", "url": "http://osvdb.org/79849"}, {"name": "52325", "refsource": "BID", "url": "http://www.securityfocus.com/bid/52325"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T23:46:03.256Z"}, "title": "CVE Program Container", "references": [{"name": "safari-plugin-code-execution(73713)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73713"}, {"name": "45758", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/45758"}, {"name": "79849", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/79849"}, {"name": "52325", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/52325"}]}]}, "cveMetadata": {"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab", "assignerShortName": "flexera", "cveId": "CVE-2011-3845", "datePublished": "2012-03-08T02:00:00", "dateReserved": "2011-09-26T00:00:00", "dateUpdated": "2024-08-06T23:46:03.256Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:5.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "76C1EA50-BE9C-4A5D-8A5B-CCEDBD1548A5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in Apple Safari 5.1.2, when a plug-in with a blocking function is installed, allows user-assisted remote attackers to execute arbitrary code via a crafted web page that is accessed during user interaction with the plug-in, leading to improper coordination between an API call and the plug-in unloading functionality, as demonstrated by the Adobe Flash and RealPlayer plug-ins."}, {"lang": "es", "value": "Vulnerabilidad de error en la gesti\u00f3n de recursos (use-after-free) en Apple Safari v5.1.2, cuando un complemento con una funci\u00f3n de bloqueo est\u00e1 instalado, permite a atacantes remotos asistidos por el usuario ejecutar c\u00f3digo arbitrario a trav\u00e9s de una p\u00e1gina web modificada a la que se accede durante la interacci\u00f3n del usuario con complemento, lo que lleva a una inadecuada coordinaci\u00f3n entre una llamada a la API y la funcionalidad de descarga del complemento, como lo demuestran los complementos de Adobe Flash y RealPlayer."}], "id": "CVE-2011-3845", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2012-03-08T04:15:02.650", "references": [{"source": "PSIRT-CNA@flexerasoftware.com", "url": "http://osvdb.org/79849"}, {"source": "PSIRT-CNA@flexerasoftware.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/45758"}, {"source": "PSIRT-CNA@flexerasoftware.com", "url": "http://www.securityfocus.com/bid/52325"}, {"source": "PSIRT-CNA@flexerasoftware.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73713"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/79849"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/45758"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/52325"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73713"}], "sourceIdentifier": "PSIRT-CNA@flexerasoftware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-399"}], "source": "nvd@nist.gov", "type": "Primary"}]}