CVE-2017-2365 Apple CVE debrief

Who should care

Security teams and administrators managing affected iPhone/iPad, Safari, and tvOS deployments should care most, especially where older versions remain in use. Users who browse untrusted sites on impacted devices are also at risk because the issue is triggered remotely through web content.

Technical summary

NVD rates the issue CVSS 3.0 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and lists CWE-200. The core impact is confidentiality: a crafted website can cause WebKit to bypass same-origin protections and expose sensitive data. The official record and Apple advisories indicate fixes were released for the affected version ranges.

Defensive priority

Medium. Patch quickly if any affected Apple or WebKit versions remain deployed, because the flaw is remotely reachable and can leak data after user interaction with a malicious site.

Recommended defensive actions

• Update iOS devices to 10.2.1 or later, Safari to 10.0.3 or later, and tvOS to 10.1.1 or later, or apply the equivalent vendor fixes listed in the Apple advisories.
• Inventory legacy Apple and WebKit-based systems to confirm no vulnerable versions remain exposed to normal browsing.
• Limit access to untrusted or high-risk websites on systems that cannot be updated immediately.
• Review Apple security advisories and internal patch records to verify the remediation was applied across all managed fleets.

Evidence notes

This debrief is based on the official NVD record and the Apple vendor advisories listed in the source corpus. The NVD description states the flaw allows a remote attacker to bypass the Same Origin Policy and obtain sensitive information via a crafted website; the CPE mappings provide the affected version cutoffs. The record was published on 2017-02-20 and last modified on 2026-05-13.

Official resources