cvelistv5 - CVE-2014-1257

CVE-2014-1257 (GCVE-0-2014-1257)

Vulnerability from cvelistv5 – Published: 2014-02-27 01:00 – Updated: 2024-08-06 09:34

Summary

Severity ?

No CVSS data available.

CWE

Assigner

apple

References

URL

Tags

http://support.apple.com/kb/HT6150

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:34:41.201Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.apple.com/kb/HT6150"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-02-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-02-27T00:57:00",
        "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "shortName": "apple"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.apple.com/kb/HT6150"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "product-security@apple.com",
          "ID": "CVE-2014-1257",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://support.apple.com/kb/HT6150",
              "refsource": "CONFIRM",
              "url": "http://support.apple.com/kb/HT6150"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
    "assignerShortName": "apple",
    "cveId": "CVE-2014-1257",
    "datePublished": "2014-02-27T01:00:00",
    "dateReserved": "2014-01-08T00:00:00",
    "dateUpdated": "2024-08-06T09:34:41.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:*:supplemental_update:*:*:*:*:*:*\", \"versionEndIncluding\": \"10.8.5\", \"matchCriteriaId\": \"BA9ABDE2-A7F3-4D0B-9BBB-57F27AE14B1D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2082D62-3821-4DBA-8690-67489F44C38D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8F0DB1BC-DC16-423E-B0C7-8E9C996A50B5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E59315BA-B9F1-46A5-86E7-8BE2ED97BA4F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"55841123-F78F-42E0-8D40-C688C4B4D29C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"252640D3-5CB8-4C3D-9E8B-ED452293C805\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F3D30B4B-DA63-40B0-B0C9-F3992CF25706\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.\"}, {\"lang\": \"es\", \"value\": \"CFNetwork en Apple OS X hasta 10.8.5 no elimina cookies de sesi\\u00f3n en una acci\\u00f3n de restablecimiento de Safari, lo que permite a atacantes f\\u00edsicamente pr\\u00f3ximos evadir restricciones de acceso mediante el aprovechamiento de una estaci\\u00f3n de trabajo desatendida.\"}]",
      "id": "CVE-2014-1257",
      "lastModified": "2024-11-21T02:03:56.377",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 3.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2014-02-27T01:55:03.897",
      "references": "[{\"url\": \"http://support.apple.com/kb/HT6150\", \"source\": \"product-security@apple.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://support.apple.com/kb/HT6150\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "product-security@apple.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-1257\",\"sourceIdentifier\":\"product-security@apple.com\",\"published\":\"2014-02-27T01:55:03.897\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.\"},{\"lang\":\"es\",\"value\":\"CFNetwork en Apple OS X hasta 10.8.5 no elimina cookies de sesi\u00f3n en una acci\u00f3n de restablecimiento de Safari, lo que permite a atacantes f\u00edsicamente pr\u00f3ximos evadir restricciones de acceso mediante el aprovechamiento de una estaci\u00f3n de trabajo desatendida.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":3.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:*:supplemental_update:*:*:*:*:*:*\",\"versionEndIncluding\":\"10.8.5\",\"matchCriteriaId\":\"BA9ABDE2-A7F3-4D0B-9BBB-57F27AE14B1D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2082D62-3821-4DBA-8690-67489F44C38D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F0DB1BC-DC16-423E-B0C7-8E9C996A50B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E59315BA-B9F1-46A5-86E7-8BE2ED97BA4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55841123-F78F-42E0-8D40-C688C4B4D29C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"252640D3-5CB8-4C3D-9E8B-ED452293C805\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3D30B4B-DA63-40B0-B0C9-F3992CF25706\"}]}]}],\"references\":[{\"url\":\"http://support.apple.com/kb/HT6150\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://support.apple.com/kb/HT6150\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

VAR-201402-0396

Vulnerability from variot - Updated: 2023-12-18 11:26

CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X versions prior to 10.9.2. These issues were addressed by updating Apache to version 2.2.26. CVE-ID CVE-2013-1862 CVE-2013-1896

App Sandbox Available for: OS X Mountain Lion v10.8.5 Impact: The App Sandbox may be bypassed Description: The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process. A compromised sandboxed application could abuse this to bypass the sandbox. This issue was addressed by preventing sandboxed applications from specifying arguments. CVE-ID CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR

ATS Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of handling of Type 1 fonts. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1254 : Felix Groebert of the Google Security Team

ATS Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A memory corruption issue existed in the handling of Mach messages passed to ATS. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1262 : Meder Kydyraliev of the Google Security Team

ATS Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: An arbitrary free issue existed in the handling of Mach messages passed to ATS. This issue was addressed through additional validation of Mach messages. CVE-ID CVE-2014-1255 : Meder Kydyraliev of the Google Security Team

ATS Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A buffer overflow issue existed in the handling of Mach messages passed to ATS. This issue was addressed by additional bounds checking. CVE-ID CVE-2014-1256 : Meder Kydyraliev of the Google Security Team

Certificate Trust Policy Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Root certificates have been updated Description: The set of system root certificates has been updated. The complete list of recognized system roots may be viewed via the Keychain Access application.

CFNetwork Cookies Available for: OS X Mountain Lion v10.8.5 Impact: Session cookies may persist even after resetting Safari Description: Resetting Safari did not always delete session cookies until Safari was closed. This issue was addressed through improved handling of session cookies. CVE-ID CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett

CoreAnimation Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in CoreAnimation's handling of images. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1258 : Karl Smith of NCC Group

CoreText Available for: OS X Mavericks 10.9 and 10.9.1 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution Description: A signedness issue existed in CoreText in the handling of Unicode fonts. This issue is addressed through improved bounds checking. CVE-ID CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs

curl Available for: OS X Mavericks 10.9 and 10.9.1 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: When using curl to connect to an HTTPS URL containing an IP address, the IP address was not validated against the certificate. CVE-ID CVE-2014-1263 : Roland Moriz of Moriz GmbH

Data Security Available for: OS X Mavericks 10.9 and 10.9.1 Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. CVE-ID CVE-2014-1266

Date and Time Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: An unprivileged user may change the system clock Description: This update changes the behavior of the systemsetup command to require administrator privileges to change the system clock. CVE-ID CVE-2014-1265

File Bookmark Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Viewing a file with a maliciously crafted name may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of file names. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1259

Finder Available for: OS X Mavericks 10.9 and 10.9.1 Impact: Accessing a file's ACL via Finder may lead to other users gaining unauthorized access to files Description: Accessing a file's ACL via Finder may corrupt the ACLs on the file. This issue was addressed through improved handling of ACLs. CVE-ID CVE-2014-1264

ImageIO Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Viewing a maliciously crafted JPEG file may lead to the disclosure of memory contents Description: An uninitialized memory access issue existed in libjpeg's handling of JPEG markers, resulting in the disclosure of memory contents. This issue was addressed by better JPEG handling. CVE-ID CVE-2013-6629 : Michal Zalewski

IOSerialFamily Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 Impact: Executing a malicious application may result in arbitrary code execution within the kernel Description: An out of bounds array access existed in the IOSerialFamily driver. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-5139 : @dent1zt

LaunchServices Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 Impact: A file could show the wrong extension Description: An issue existed in the handling of certain unicode characters that could allow filenames to show incorrect extensions. The issue was addressed by filtering unsafe unicode characters from display in filenames. CVE-ID CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre of Intego

NVIDIA Drivers Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Executing a malicious application could result in arbitrary code execution within the graphics card Description: An issue existed that allowed writes to some trusted memory on the graphics card. This issue was addressed by removing the ability of the host to write to that memory. CVE-ID CVE-2013-5986 : Marcin Kościelnicki from the X.Org Foundation Nouveau project CVE-2013-5987 : Marcin Kościelnicki from the X.Org Foundation Nouveau project

PHP Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP, the most serious of which may have led to arbitrary code execution. CVE-ID CVE-2013-4073 CVE-2013-4113 CVE-2013-4248 CVE-2013-6420

QuickLook Available for: OS X Mountain Lion v10.8.5 Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may have led to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2014-1260 : Felix Groebert of the Google Security Team

QuickLook Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Downloading a maliciously crafted Microsoft Word document may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in QuickLook's handling of Microsoft Word documents. This issue was addressed through improved memory management. CVE-ID CVE-2014-1252 : Felix Groebert of the Google Security Team

QuickTime Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'ftab' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1246 : An anonymous researcher working with HP's Zero Day Initiative

QuickTime Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of 'dref' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day Initiative

QuickTime Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'ldat' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1248 : Jason Kratzer working with iDefense VCP

QuickTime Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PSD images. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1249 : dragonltx of Tencent Security Team

QuickTime Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An out of bounds byte swapping issue existed in the handling of 'ttfo' elements. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1250 : Jason Kratzer working with iDefense VCP

QuickTime Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue existed in the handling of 'stsz' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day Initiative

Secure Transport Available for: OS X Mountain Lion v10.8.5 Impact: An attacker may be able to decrypt data protected by SSL Description: There were known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode. To address these issues for applications using Secure Transport, the 1-byte fragment mitigation was enabled by default for this configuration. CVE-ID CVE-2011-3389 : Juliano Rizzo and Thai Duong

OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.

OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAEBAgAGBQJTDNeoAAoJEPefwLHPlZEwaRAP/3i/2qRvNv6JqmE9p48uEyXn mlxwXpMyop+vrgMmuiSP14EGSv06HO04PNUtaWPxm7tVYXu0tMtjDcYdIu40TAy6 U0T6QhRZC/uag1DCvdEOvqRUajKmmPtHTCJ6OsQGtGJHlEM+S5XgxRr7qgfkHMfb OlqFsgpdL/AAiYNfzItN2C+r2Lfwro6LDlxhikpASojlMFQrk8nJ6irRv617anSZ 3DwJW2iJxNfpVrgqA1Nrx1fkrPmeT/8jgGuEP6RaKiWIbfXjRG5BW9WuarMqmaP8 C6XoTaJaqEO9zb7F2uJR0HIYpJd065y/xiYNm91yDWIjdrO3wVgNVPGo1pHVyYsY Y7lcyHUVJortKF8SHquw0j3Ujeugu8iWp6ND/00/4dGvwb0jzrxPUxkEmJ43130O t2Obtxdsaa+ub8cZHDN93WB3FQR5hd+KaeXLJC55q0qYY8o8zqdPqXAlYAP2gUQX iB4Bs7NAh2CNJWNTtk2soTjZOwPvPLSPZ6I3w5i0HVP7HQl5K8chjihAwSeyezCZ q5gxCiK0lBW88AUd9n3L7ZOW2Rg53mh6+RiUL/VQ7TfidoP417VDKum300pZkgNv kBCklX9ya7QeLjOMnbnsTk32qG+TiDPgiGZ5IrK6C6T26dexJWbm8tuwPjy5r8mI aiYIh+SzR0rBdMZRgyzv =+DAJ -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201402-0396",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.8.5"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.8.3"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.8.4"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.8.1"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.8.2"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.8.0"
      },
      {
        "model": "mac os x",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apple",
        "version": "10.8.5"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "v10.8.5"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "slackware",
        "version": "13.37"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "slackware",
        "version": "13.1"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "slackware",
        "version": "13.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "65777"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:supplemental_update:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "10.8.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Roland Moriz of Moriz GmbH, Felix Groebert of the Google Security Team, Meder Kydyraliev of the Google Security Team,\nRob Ansaldo of Amherst College, Graham Bennett Karl Smith of NCC Group, Apple, Lucas Apa and Carlos Mario Penagos of IOActive Labs, Tom Ga",
    "sources": [
      {
        "db": "BID",
        "id": "65777"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2014-1257",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 3.6,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2014-1257",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "id": "VHN-69196",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "LOW",
            "trust": 0.1,
            "vectorString": "AV:L/AC:L/AU:N/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2014-1257",
            "trust": 1.8,
            "value": "LOW"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201402-448",
            "trust": 0.6,
            "value": "LOW"
          },
          {
            "author": "VULHUB",
            "id": "VHN-69196",
            "trust": 0.1,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation. Apple Mac OS X is prone to multiple vulnerabilities. \nThe update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components. \nAttackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. \nThese issues affect OS X versions prior to 10.9.2. These issues were\naddressed by updating Apache to version 2.2.26. \nCVE-ID\nCVE-2013-1862\nCVE-2013-1896\n\nApp Sandbox\nAvailable for:  OS X Mountain Lion v10.8.5\nImpact:  The App Sandbox may be bypassed\nDescription:  The LaunchServices interface for launching an\napplication allowed sandboxed apps to specify the list of arguments\npassed to the new process. A compromised sandboxed application could\nabuse this to bypass the sandbox. This issue was addressed by\npreventing sandboxed applications from specifying arguments. \nCVE-ID\nCVE-2013-5179 : Friedrich Graeter of The Soulmen GbR\n\nATS\nAvailable for:  OS X Mountain Lion v10.8.5,\nOS X Mavericks 10.9 and 10.9.1\nImpact:  Viewing or downloading a document containing a maliciously\ncrafted embedded font may lead to arbitrary code execution\nDescription:  A memory corruption issue existed in the handling of\nhandling of Type 1 fonts. This issue was addressed through improved\nbounds checking. \nCVE-ID\nCVE-2014-1254 : Felix Groebert of the Google Security Team\n\nATS\nAvailable for:  OS X Mavericks 10.9 and 10.9.1\nImpact:  The App Sandbox may be bypassed\nDescription:  A memory corruption issue existed in the handling of\nMach messages passed to ATS. This issue was addressed through\nimproved bounds checking. \nCVE-ID\nCVE-2014-1262 : Meder Kydyraliev of the Google Security Team\n\nATS\nAvailable for:  OS X Mavericks 10.9 and 10.9.1\nImpact:  The App Sandbox may be bypassed\nDescription:  An arbitrary free issue existed in the handling of Mach\nmessages passed to ATS. This issue was addressed through additional\nvalidation of Mach messages. \nCVE-ID\nCVE-2014-1255 : Meder Kydyraliev of the Google Security Team\n\nATS\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  The App Sandbox may be bypassed\nDescription:  A buffer overflow issue existed in the handling of Mach\nmessages passed to ATS. This issue was addressed by additional bounds\nchecking. \nCVE-ID\nCVE-2014-1256 : Meder Kydyraliev of the Google Security Team\n\nCertificate Trust Policy\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Root certificates have been updated\nDescription:  The set of system root certificates has been updated. \nThe complete list of recognized system roots may be viewed via the\nKeychain Access application. \n\nCFNetwork Cookies\nAvailable for:  OS X Mountain Lion v10.8.5\nImpact:  Session cookies may persist even after resetting Safari\nDescription:  Resetting Safari did not always delete session cookies\nuntil Safari was closed. This issue was addressed through improved\nhandling of session cookies. \nCVE-ID\nCVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett\n\nCoreAnimation\nAvailable for:  OS X Mountain Lion v10.8.5,\nOS X Mavericks 10.9 and 10.9.1\nImpact:  Visiting a maliciously crafted site may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  A heap buffer overflow existed in CoreAnimation\u0027s\nhandling of images. This issue was addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2014-1258 : Karl Smith of NCC Group\n\nCoreText\nAvailable for:  OS X Mavericks 10.9 and 10.9.1\nImpact:  Applications that use CoreText may be vulnerable to an\nunexpected application termination or arbitrary code execution\nDescription:  A signedness issue existed in CoreText in the handling\nof Unicode fonts. This issue is addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs\n\ncurl\nAvailable for:  OS X Mavericks 10.9 and 10.9.1\nImpact:  An attacker with a privileged network position may intercept\nuser credentials or other sensitive information\nDescription:  When using curl to connect to an HTTPS URL containing\nan IP address, the IP address was not validated against the\ncertificate. \nCVE-ID\nCVE-2014-1263 : Roland Moriz of Moriz GmbH\n\nData Security\nAvailable for:  OS X Mavericks 10.9 and 10.9.1\nImpact:  An attacker with a privileged network position may capture\nor modify data in sessions protected by SSL/TLS\nDescription:  Secure Transport failed to validate the authenticity of\nthe connection. This issue was addressed by restoring missing\nvalidation steps. \nCVE-ID\nCVE-2014-1266\n\nDate and Time\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  An unprivileged user may change the system clock\nDescription:  This update changes the behavior of the systemsetup\ncommand to require administrator privileges to change the system\nclock. \nCVE-ID\nCVE-2014-1265\n\nFile Bookmark\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Viewing a file with a maliciously crafted name may lead to\nan unexpected application termination or arbitrary code execution\nDescription:  A buffer overflow existed in the handling of file\nnames. This issue was addressed through improved bounds checking. \nCVE-ID\nCVE-2014-1259\n\nFinder\nAvailable for:  OS X Mavericks 10.9 and 10.9.1\nImpact:  Accessing a file\u0027s ACL via Finder may lead to other users\ngaining unauthorized access to files\nDescription:  Accessing a file\u0027s ACL via Finder may corrupt the ACLs\non the file. This issue was addressed through improved handling of\nACLs. \nCVE-ID\nCVE-2014-1264\n\nImageIO\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Viewing a maliciously crafted JPEG file may lead to the\ndisclosure of memory contents\nDescription:  An uninitialized memory access issue existed in\nlibjpeg\u0027s handling of JPEG markers, resulting in the disclosure of\nmemory contents. This issue was addressed by better JPEG handling. \nCVE-ID\nCVE-2013-6629 : Michal Zalewski\n\nIOSerialFamily\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5\nImpact:  Executing a malicious application may result in arbitrary\ncode execution within the kernel\nDescription:  An out of bounds array access existed in the\nIOSerialFamily driver. This issue was addressed through additional\nbounds checking. \nCVE-ID\nCVE-2013-5139 : @dent1zt\n\nLaunchServices\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5\nImpact:  A file could show the wrong extension\nDescription:  An issue existed in the handling of certain unicode\ncharacters that could allow filenames to show incorrect extensions. \nThe issue was addressed by filtering unsafe unicode characters from\ndisplay in filenames. \nCVE-ID\nCVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre\nof Intego\n\nNVIDIA Drivers\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Executing a malicious application could result in arbitrary\ncode execution within the graphics card\nDescription:  An issue existed that allowed writes to some trusted\nmemory on the graphics card. This issue was addressed by removing the\nability of the host to write to that memory. \nCVE-ID\nCVE-2013-5986 : Marcin Ko\u015bcielnicki from the X.Org Foundation\nNouveau project\nCVE-2013-5987 : Marcin Ko\u015bcielnicki from the X.Org Foundation\nNouveau project\n\nPHP\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Multiple vulnerabilities in PHP\nDescription:  Multiple vulnerabilities existed in PHP, the most\nserious of which may have led to arbitrary code execution. \nCVE-ID\nCVE-2013-4073\nCVE-2013-4113\nCVE-2013-4248\nCVE-2013-6420\n\nQuickLook\nAvailable for:  OS X Mountain Lion v10.8.5\nImpact:  Downloading a maliciously crafted Microsoft Office file may\nlead to an unexpected application termination or arbitrary code\nexecution\nDescription:  A memory corruption issue existed in QuickLook\u0027s\nhandling of Microsoft Office files. Downloading a maliciously crafted\nMicrosoft Office file may have led to an unexpected application\ntermination or arbitrary code execution. \nCVE-ID\nCVE-2014-1260 : Felix Groebert of the Google Security Team\n\nQuickLook\nAvailable for:  OS X Mountain Lion v10.8.5,\nOS X Mavericks 10.9 and 10.9.1\nImpact:  Downloading a maliciously crafted Microsoft Word document\nmay lead to an unexpected application termination or arbitrary code\nexecution\nDescription:  A double free issue existed in QuickLook\u0027s handling of\nMicrosoft Word documents. This issue was addressed through improved\nmemory management. \nCVE-ID\nCVE-2014-1252 : Felix Groebert of the Google Security Team\n\nQuickTime\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Playing a maliciously crafted movie file may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  A buffer overflow existed in the handling of \u0027ftab\u0027\natoms. This issue was addressed through improved bounds checking. \nCVE-ID\nCVE-2014-1246 : An anonymous researcher working with HP\u0027s Zero Day\nInitiative\n\nQuickTime\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Playing a maliciously crafted movie file may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  A memory corruption issue existed in the handling of\n\u0027dref\u0027 atoms. This issue was addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2014-1247 : Tom Gallagher \u0026 Paul Bates working with HP\u0027s Zero Day\nInitiative\n\nQuickTime\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Playing a maliciously crafted movie file may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  A buffer overflow existed in the handling of \u0027ldat\u0027\natoms. This issue was addressed through improved bounds checking. \nCVE-ID\nCVE-2014-1248 : Jason Kratzer working with iDefense VCP\n\nQuickTime\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Viewing a maliciously crafted PSD image may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  A buffer overflow existed in the handling of PSD\nimages. This issue was addressed through improved bounds checking. \nCVE-ID\nCVE-2014-1249 : dragonltx of Tencent Security Team\n\nQuickTime\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Playing a maliciously crafted movie file may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  An out of bounds byte swapping issue existed in the\nhandling of \u0027ttfo\u0027 elements. This issue was addressed through\nimproved bounds checking. \nCVE-ID\nCVE-2014-1250 : Jason Kratzer working with iDefense VCP\n\nQuickTime\nAvailable for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,\nOS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1\nImpact:  Playing a maliciously crafted movie file may lead to an\nunexpected application termination or arbitrary code execution\nDescription:  A signedness issue existed in the handling of \u0027stsz\u0027\natoms. This issue was addressed through improved bounds checking. \nCVE-ID\nCVE-2014-1245 : Tom Gallagher \u0026 Paul Bates working with HP\u0027s Zero Day\nInitiative\n\nSecure Transport\nAvailable for:  OS X Mountain Lion v10.8.5\nImpact:  An attacker may be able to decrypt data protected by SSL\nDescription:  There were known attacks on the confidentiality of SSL\n3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode. \nTo address these issues for applications using Secure Transport, the\n1-byte fragment mitigation was enabled by default for this\nconfiguration. \nCVE-ID\nCVE-2011-3389 : Juliano Rizzo and Thai Duong\n\nOS X Mavericks v10.9.2 includes the content of Safari 7.0.2. \n\nOS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from \nthe Mac App Store or Apple\u0027s Software Downloads web site:\nhttp://www.apple.com/support/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: http://support.apple.com/kb/HT1222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIcBAEBAgAGBQJTDNeoAAoJEPefwLHPlZEwaRAP/3i/2qRvNv6JqmE9p48uEyXn\nmlxwXpMyop+vrgMmuiSP14EGSv06HO04PNUtaWPxm7tVYXu0tMtjDcYdIu40TAy6\nU0T6QhRZC/uag1DCvdEOvqRUajKmmPtHTCJ6OsQGtGJHlEM+S5XgxRr7qgfkHMfb\nOlqFsgpdL/AAiYNfzItN2C+r2Lfwro6LDlxhikpASojlMFQrk8nJ6irRv617anSZ\n3DwJW2iJxNfpVrgqA1Nrx1fkrPmeT/8jgGuEP6RaKiWIbfXjRG5BW9WuarMqmaP8\nC6XoTaJaqEO9zb7F2uJR0HIYpJd065y/xiYNm91yDWIjdrO3wVgNVPGo1pHVyYsY\nY7lcyHUVJortKF8SHquw0j3Ujeugu8iWp6ND/00/4dGvwb0jzrxPUxkEmJ43130O\nt2Obtxdsaa+ub8cZHDN93WB3FQR5hd+KaeXLJC55q0qYY8o8zqdPqXAlYAP2gUQX\niB4Bs7NAh2CNJWNTtk2soTjZOwPvPLSPZ6I3w5i0HVP7HQl5K8chjihAwSeyezCZ\nq5gxCiK0lBW88AUd9n3L7ZOW2Rg53mh6+RiUL/VQ7TfidoP417VDKum300pZkgNv\nkBCklX9ya7QeLjOMnbnsTk32qG+TiDPgiGZ5IrK6C6T26dexJWbm8tuwPjy5r8mI\naiYIh+SzR0rBdMZRgyzv\n=+DAJ\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "BID",
        "id": "65777"
      },
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "db": "PACKETSTORM",
        "id": "125427"
      }
    ],
    "trust": 2.07
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2014-1257",
        "trust": 2.9
      },
      {
        "db": "JVN",
        "id": "JVNVU95868425",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448",
        "trust": 0.7
      },
      {
        "db": "BID",
        "id": "65777",
        "trust": 0.3
      },
      {
        "db": "VULHUB",
        "id": "VHN-69196",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "125427",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "db": "BID",
        "id": "65777"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "PACKETSTORM",
        "id": "125427"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "id": "VAR-201402-0396",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T11:26:08.391000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "APPLE-SA-2014-02-25-1",
        "trust": 0.8,
        "url": "http://lists.apple.com/archives/security-announce/2014/feb/msg00000.html"
      },
      {
        "title": "HT6150",
        "trust": 0.8,
        "url": "http://support.apple.com/kb/ht6150"
      },
      {
        "title": "HT6150",
        "trust": 0.8,
        "url": "http://support.apple.com/kb/ht6150?viewlocale=ja_jp"
      },
      {
        "title": "OSXUpd10.9.2",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=48288"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-264",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "http://support.apple.com/kb/ht6150"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1257"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/vu/jvnvu95868425/"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1257"
      },
      {
        "trust": 0.3,
        "url": "http://www.apple.com/macosx/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1255"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-6629"
      },
      {
        "trust": 0.1,
        "url": "http://support.apple.com/kb/ht1222"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5179"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1250"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1245"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/support/downloads/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1259"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5987"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1254"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1256"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1258"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1249"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1248"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-6420"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1247"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2011-3389"
      },
      {
        "trust": 0.1,
        "url": "https://www.apple.com/support/security/pgp/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-4073"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5178"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5139"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1261"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-1896"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1260"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1246"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-1862"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1257"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5986"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-4248"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-4113"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-1252"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "db": "BID",
        "id": "65777"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "PACKETSTORM",
        "id": "125427"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "db": "BID",
        "id": "65777"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "db": "PACKETSTORM",
        "id": "125427"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-02-27T00:00:00",
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "date": "2014-02-25T00:00:00",
        "db": "BID",
        "id": "65777"
      },
      {
        "date": "2014-02-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "date": "2014-02-26T22:21:07",
        "db": "PACKETSTORM",
        "id": "125427"
      },
      {
        "date": "2014-02-27T01:55:03.897000",
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "date": "2014-02-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-02-27T00:00:00",
        "db": "VULHUB",
        "id": "VHN-69196"
      },
      {
        "date": "2014-04-17T00:49:00",
        "db": "BID",
        "id": "65777"
      },
      {
        "date": "2014-02-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      },
      {
        "date": "2014-02-27T13:55:11.227000",
        "db": "NVD",
        "id": "CVE-2014-1257"
      },
      {
        "date": "2014-06-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple Mac OS X of  CFNetwork Vulnerable to access restrictions",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001483"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "permissions and access control",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201402-448"
      }
    ],
    "trust": 0.6
  }
}

FKIE_CVE-2014-1257

Vulnerability from fkie_nvd - Published: 2014-02-27 01:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

	URL	Tags
	product-security@apple.com	http://support.apple.com/kb/HT6150	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://support.apple.com/kb/HT6150	Vendor Advisory

Impacted products

Vendor	Product	Version
apple	mac_os_x	*
apple	mac_os_x	10.8.0
apple	mac_os_x	10.8.1
apple	mac_os_x	10.8.2
apple	mac_os_x	10.8.3
apple	mac_os_x	10.8.4
apple	mac_os_x	10.8.5

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:*:supplemental_update:*:*:*:*:*:*",
              "matchCriteriaId": "BA9ABDE2-A7F3-4D0B-9BBB-57F27AE14B1D",
              "versionEndIncluding": "10.8.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2082D62-3821-4DBA-8690-67489F44C38D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F0DB1BC-DC16-423E-B0C7-8E9C996A50B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E59315BA-B9F1-46A5-86E7-8BE2ED97BA4F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "55841123-F78F-42E0-8D40-C688C4B4D29C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "252640D3-5CB8-4C3D-9E8B-ED452293C805",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3D30B4B-DA63-40B0-B0C9-F3992CF25706",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation."
    },
    {
      "lang": "es",
      "value": "CFNetwork en Apple OS X hasta 10.8.5 no elimina cookies de sesi\u00f3n en una acci\u00f3n de restablecimiento de Safari, lo que permite a atacantes f\u00edsicamente pr\u00f3ximos evadir restricciones de acceso mediante el aprovechamiento de una estaci\u00f3n de trabajo desatendida."
    }
  ],
  "id": "CVE-2014-1257",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-02-27T01:55:03.897",
  "references": [
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://support.apple.com/kb/HT6150"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://support.apple.com/kb/HT6150"
    }
  ],
  "sourceIdentifier": "product-security@apple.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2014-AVI-095

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans Apple OS X Maverick. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apple	N/A	Apple OS X Mountain Lion versions antérieures à 10.8.5
Apple	N/A	Apple OS X Lion Server versions antérieures à 10.7.5
Apple	N/A	Apple OS X Mavericks versions antérieures à 10.9.2
Apple	N/A	Apple OS X Lion versions antérieures à 10.7.5

References

Title

Publication Time

Tags

Bulletin de sécurité Apple HT6150 du 25 février 2014

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Apple OS X Mountain Lion versions ant\u00e9rieures \u00e0 10.8.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple OS X Lion Server versions ant\u00e9rieures \u00e0 10.7.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple OS X Mavericks versions ant\u00e9rieures \u00e0 10.9.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple OS X Lion versions ant\u00e9rieures \u00e0 10.7.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-1256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1256"
    },
    {
      "name": "CVE-2013-4073",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-4073"
    },
    {
      "name": "CVE-2014-1263",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1263"
    },
    {
      "name": "CVE-2014-1252",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1252"
    },
    {
      "name": "CVE-2014-1258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1258"
    },
    {
      "name": "CVE-2013-6420",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-6420"
    },
    {
      "name": "CVE-2014-1264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1264"
    },
    {
      "name": "CVE-2014-1261",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1261"
    },
    {
      "name": "CVE-2013-5986",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5986"
    },
    {
      "name": "CVE-2014-1266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1266"
    },
    {
      "name": "CVE-2014-1255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1255"
    },
    {
      "name": "CVE-2014-1246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1246"
    },
    {
      "name": "CVE-2014-1245",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1245"
    },
    {
      "name": "CVE-2013-4248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-4248"
    },
    {
      "name": "CVE-2013-6629",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-6629"
    },
    {
      "name": "CVE-2014-1254",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1254"
    },
    {
      "name": "CVE-2013-5987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5987"
    },
    {
      "name": "CVE-2013-1862",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1862"
    },
    {
      "name": "CVE-2013-5139",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5139"
    },
    {
      "name": "CVE-2014-1259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1259"
    },
    {
      "name": "CVE-2014-1250",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1250"
    },
    {
      "name": "CVE-2013-4113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-4113"
    },
    {
      "name": "CVE-2014-1265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1265"
    },
    {
      "name": "CVE-2014-1247",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1247"
    },
    {
      "name": "CVE-2014-1260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1260"
    },
    {
      "name": "CVE-2014-1262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1262"
    },
    {
      "name": "CVE-2014-1249",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1249"
    },
    {
      "name": "CVE-2013-5179",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5179"
    },
    {
      "name": "CVE-2013-1896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1896"
    },
    {
      "name": "CVE-2014-1248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1248"
    },
    {
      "name": "CVE-2011-3389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-3389"
    },
    {
      "name": "CVE-2014-1257",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1257"
    },
    {
      "name": "CVE-2013-5178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5178"
    }
  ],
  "links": [],
  "reference": "CERTFR-2014-AVI-095",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2014-02-28T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X Maverick\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire,\nun contournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT6150 du 25 f\u00e9vrier 2014",
      "url": "http://support.apple.com/kb/HT6150"
    }
  ]
}

CERTFR-2014-AVI-095

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apple	N/A	Apple OS X Mountain Lion versions antérieures à 10.8.5
Apple	N/A	Apple OS X Lion Server versions antérieures à 10.7.5
Apple	N/A	Apple OS X Mavericks versions antérieures à 10.9.2
Apple	N/A	Apple OS X Lion versions antérieures à 10.7.5

References

Title

Publication Time

Tags

Bulletin de sécurité Apple HT6150 du 25 février 2014

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Apple OS X Mountain Lion versions ant\u00e9rieures \u00e0 10.8.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple OS X Lion Server versions ant\u00e9rieures \u00e0 10.7.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple OS X Mavericks versions ant\u00e9rieures \u00e0 10.9.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple OS X Lion versions ant\u00e9rieures \u00e0 10.7.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-1256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1256"
    },
    {
      "name": "CVE-2013-4073",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-4073"
    },
    {
      "name": "CVE-2014-1263",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1263"
    },
    {
      "name": "CVE-2014-1252",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1252"
    },
    {
      "name": "CVE-2014-1258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1258"
    },
    {
      "name": "CVE-2013-6420",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-6420"
    },
    {
      "name": "CVE-2014-1264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1264"
    },
    {
      "name": "CVE-2014-1261",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1261"
    },
    {
      "name": "CVE-2013-5986",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5986"
    },
    {
      "name": "CVE-2014-1266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1266"
    },
    {
      "name": "CVE-2014-1255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1255"
    },
    {
      "name": "CVE-2014-1246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1246"
    },
    {
      "name": "CVE-2014-1245",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1245"
    },
    {
      "name": "CVE-2013-4248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-4248"
    },
    {
      "name": "CVE-2013-6629",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-6629"
    },
    {
      "name": "CVE-2014-1254",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1254"
    },
    {
      "name": "CVE-2013-5987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5987"
    },
    {
      "name": "CVE-2013-1862",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1862"
    },
    {
      "name": "CVE-2013-5139",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5139"
    },
    {
      "name": "CVE-2014-1259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1259"
    },
    {
      "name": "CVE-2014-1250",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1250"
    },
    {
      "name": "CVE-2013-4113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-4113"
    },
    {
      "name": "CVE-2014-1265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1265"
    },
    {
      "name": "CVE-2014-1247",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1247"
    },
    {
      "name": "CVE-2014-1260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1260"
    },
    {
      "name": "CVE-2014-1262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1262"
    },
    {
      "name": "CVE-2014-1249",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1249"
    },
    {
      "name": "CVE-2013-5179",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5179"
    },
    {
      "name": "CVE-2013-1896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1896"
    },
    {
      "name": "CVE-2014-1248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1248"
    },
    {
      "name": "CVE-2011-3389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-3389"
    },
    {
      "name": "CVE-2014-1257",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-1257"
    },
    {
      "name": "CVE-2013-5178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-5178"
    }
  ],
  "links": [],
  "reference": "CERTFR-2014-AVI-095",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2014-02-28T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X Maverick\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire,\nun contournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT6150 du 25 f\u00e9vrier 2014",
      "url": "http://support.apple.com/kb/HT6150"
    }
  ]
}

GHSA-MQ52-FMCW-7CF7

Vulnerability from github – Published: 2022-05-17 04:51 – Updated: 2022-05-17 04:51

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-1257"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-02-27T01:55:00Z",
    "severity": "LOW"
  },
  "details": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.",
  "id": "GHSA-mq52-fmcw-7cf7",
  "modified": "2022-05-17T04:51:39Z",
  "published": "2022-05-17T04:51:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1257"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT6150"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2014-1257

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-1257

Aliases

CVE-2014-1257

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-1257",
    "description": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.",
    "id": "GSD-2014-1257"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-1257"
      ],
      "details": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.",
      "id": "GSD-2014-1257",
      "modified": "2023-12-13T01:22:51.133852Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "product-security@apple.com",
        "ID": "CVE-2014-1257",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://support.apple.com/kb/HT6150",
            "refsource": "CONFIRM",
            "url": "http://support.apple.com/kb/HT6150"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:supplemental_update:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "10.8.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "product-security@apple.com",
          "ID": "CVE-2014-1257"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://support.apple.com/kb/HT6150",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://support.apple.com/kb/HT6150"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2014-02-27T13:55Z",
      "publishedDate": "2014-02-27T01:55Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-1257 (GCVE-0-2014-1257)

VAR-201402-0396

FKIE_CVE-2014-1257

CERTFR-2014-AVI-095

Solution

CERTFR-2014-AVI-095

Solution

GHSA-MQ52-FMCW-7CF7

GSD-2014-1257

Tags

Sightings

Nomenclature