VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 11, 2011· Updated Apr 29, 2026

CVE-2011-0160

CVE-2011-0160

Description

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle redirects in conjunction with HTTP Basic Authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WebKit in Safari before 5.0.4 and iOS before 4.3 leaks HTTP Basic Authentication credentials via Authorization header when processing redirects.

Vulnerability

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, fails to properly handle redirects in conjunction with HTTP Basic Authentication. When a user visits a site that redirects to a different origin, the Authorization HTTP header containing the user's credentials may be unintentionally forwarded to the redirect target. This affects all installations of Safari on Mac OS X and Windows prior to version 5.0.4, as well as iOS devices running versions earlier than iOS 4.3 [1].

Exploitation

The attacker must operate a malicious or compromised web server that initiates a redirect response (e.g., HTTP 301 or 302) to a different host under the attacker's control when a victim's browser requests a resource. The victim must have previously authenticated to the initial server via HTTP Basic Authentication, causing the browser to send the Authorization header with the credentials. No additional user interaction beyond visiting the attacker-controlled server is required; the redirect happens transparently, and the header is forwarded without proper validation of the destination origin.

Impact

Successful exploitation allows a remote web server to capture HTTP Basic Authentication credentials (typically a username and password) by logging the Authorization header that the browser sends during the redirected request. This results in credential disclosure, which can then be used by the attacker to impersonate the victim on the original server or any other server that accepts the same credentials.

Mitigation

Apple released Safari 5.0.4 on March 9, 2011, and iOS 4.3 on the same date, both including the fix for CVE-2011-0160. Users should update to Safari 5.0.4 or later, and iOS devices should update to iOS 4.3 or later via iTunes [1]. No workarounds are documented in the available references.

References
  1. About the security content of iOS 4.3 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

97
  • Apple Inc./Safari65 versions
    cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 64 more
    • cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=5.0.3
    • cpe:2.3:a:apple:safari:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.0b1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.0b2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:85.8:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:85.8.1:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:312.5:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:312.6:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3:417.8:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3:417.9:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3:417.9.2:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3:417.9.3:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.0b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.0b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:5.0.2:*:*:*:*:*:*:*
    • (no CPE)range: <5.0.4
  • Apple Inc./Webkit
    cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
  • Apple Inc./Iphone Os30 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 29 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=4.2
    • cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.1:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <4.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.