Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-4295 (GCVE-0-2018-4295)
Vulnerability from cvelistv5
- A remote attacker may be able to attack AFP servers through HTTP clients
| URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:11:22.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209193"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209139"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "macOS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions prior to: macOS Mojave 10.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "A remote attacker may be able to attack AFP servers through HTTP clients",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-03T17:43:14",
"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
"shortName": "apple"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209193"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.apple.com/kb/HT209139"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "product-security@apple.com",
"ID": "CVE-2018-4295",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "macOS",
"version": {
"version_data": [
{
"version_value": "Versions prior to: macOS Mojave 10.14"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "A remote attacker may be able to attack AFP servers through HTTP clients"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT209193",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209193"
},
{
"name": "https://support.apple.com/kb/HT209139",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209139"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
"assignerShortName": "apple",
"cveId": "CVE-2018-4295",
"datePublished": "2019-04-03T17:43:14",
"dateReserved": "2018-01-02T00:00:00",
"dateUpdated": "2024-08-05T05:11:22.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-4295\",\"sourceIdentifier\":\"product-security@apple.com\",\"published\":\"2019-04-03T18:29:05.860\",\"lastModified\":\"2024-11-21T04:07:08.613\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.\"},{\"lang\":\"es\",\"value\":\"Un problema de validaci\u00f3n de entradas se abord\u00f3 con una validaci\u00f3n de entradas mejorada. Este problema afectaba a macOS Mojave en versiones anteriores a la 10.14.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.14\",\"matchCriteriaId\":\"1E2491B4-5132-44CF-AB9A-FAC1926FE66E\"}]}]}],\"references\":[{\"url\":\"https://support.apple.com/kb/HT209139\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209193\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209139\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209193\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
var-201904-1361
Vulnerability from variot
An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: Detail is Apple See the information provided by. * HTTP Through the client AFP Server attack * Arbitrary code execution * information leak * Buffer overflow * Privilege escalation * Service operation interruption (DoS) * File system tampering * UI Spoofing * Limit avoidance * Cross-site scripting * Address bar impersonation. macOS Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple macOS Mojave is a set of dedicated operating systems developed by Apple for Mac computers. afpserver is one of the Apple Archive Protocol server components. An input validation error vulnerability exists in the afpserver component of Apple macOS Mojave prior to 10.14. Remote attackers can exploit this vulnerability to attack the AFP server through the HTTP client. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra
macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and Security Update 2018-005 Sierra are now available and address the following:
afpserver Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A remote attacker may be able to attack AFP servers through HTTP clients Description: An input validation issue was addressed with improved input validation. CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley
AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4410: an anonymous researcher working with Trend Micro's Zero Day Initiative
AppleGraphicsControl Available for: macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4417: Lee of the Information Security Lab Yonsei University working with Trend Micro's Zero Day Initiative
APR Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Multiple buffer overflow issues existed in Perl Description: Multiple issues in Perl were addressed with improved memory handling. CVE-2017-12613: Craig Young of Tripwire VERT CVE-2017-12618: Craig Young of Tripwire VERT
ATS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend Micro's Zero Day Initiative
ATS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4308: Mohamed Ghannam (@_simo36)
CFNetwork Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative
CoreAnimation Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4415: Liang Zhuo working with Beyond Security's SecuriTeam Secure Disclosure
CoreCrypto Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers Description: An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes. CVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of Royal Holloway, University of London, and Juraj Somorovsky of Ruhr University, Bochum
CoreFoundation Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4412: The UK's National Cyber Security Centre (NCSC)
CUPS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content Description: An injection issue was addressed with improved validation. CVE-2018-4153: Michael Hanselmann of hansmi.ch
CUPS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4406: Michael Hanselmann of hansmi.ch
Dictionary Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Parsing a maliciously crafted dictionary file may lead to disclosure of user information Description: A validation issue existed which allowed local file access. CVE-2018-4346: Wojciech ReguAa (@_r3ggi) of SecuRing
Dock Available for: macOS Mojave 10.14 Impact: A malicious application may be able to access restricted files Description: This issue was addressed by removing additional entitlements. CVE-2018-4403: Patrick Wardle of Digita Security
dyld Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2018-4423: an anonymous researcher
EFI Available for: macOS High Sierra 10.13.6 Impact: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis Description: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel. CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken Johnson of the Microsoft Security Response Center (MSRC)
EFI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A local user may be able to modify protected parts of the file system Description: A configuration issue was addressed with additional restrictions. CVE-2018-4342: Timothy Perfitt of Twocanoes Software
Foundation Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-4304: jianan.huang (@Sevck)
Grand Central Dispatch Available for: macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4426: Brandon Azad
Heimdal Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4331: Brandon Azad
Hypervisor Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis Description: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry. CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas F. Wenisch of University of Michigan, Mark Silberstein and Marina Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu of Intel Corporation, Yuval Yarom of The University of Adelaide
Hypervisor Available for: macOS Sierra 10.12.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team
ICU Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4394: an anonymous researcher
Intel Graphics Driver Available for: macOS Sierra 10.12.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4334: Ian Beer of Google Project Zero
Intel Graphics Driver Available for: macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4396: Yu Wang of Didi Research America CVE-2018-4418: Yu Wang of Didi Research America
Intel Graphics Driver Available for: macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4350: Yu Wang of Didi Research America
IOGraphics Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4422: an anonymous researcher working with Trend Micro's Zero Day Initiative
IOHIDFamily Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation CVE-2018-4408: Ian Beer of Google Project Zero
IOKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4402: Proteas of Qihoo 360 Nirvan Team
IOKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4341: Ian Beer of Google Project Zero CVE-2018-4354: Ian Beer of Google Project Zero
IOUserEthernet Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4401: Apple
IPSec Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to gain elevated privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2018-4420: Mohamed Ghannam (@_simo36)
Kernel Available for: macOS High Sierra 10.13.6 Impact: A malicious application may be able to leak sensitive user information Description: An access issue existed with privileged API calls. CVE-2018-4399: Fabiano Anemone (@anoane)
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4340: Mohamed Ghannam (@_simo36) CVE-2018-4419: Mohamed Ghannam (@_simo36) CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative
Kernel Available for: macOS Sierra 10.12.6 Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to read restricted memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security Team
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: A memory corruption issue was addressed with improved validation. CVE-2018-4407: Kevin Backhouse of Semmle Ltd.
Kernel Available for: macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2018-4424: Dr. Silvio Cesare of InfoSect
Login Window Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A local user may be able to cause a denial of service Description: A validation issue was addressed with improved logic. CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of MWR InfoSecurity
Mail Available for: macOS Mojave 10.14 Impact: Processing a maliciously crafted mail message may lead to UI spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4389: Dropbox Offensive Security Team, Theodor Ragnar Gislason of Syndis
mDNSOffloadUserClient Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team
MediaRemote Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions. CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs
Microcode Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis Description: An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel. CVE-2018-3640: Innokentiy Sennovskiy from BiZone LLC (bi.zone), Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (sysgo.com)
NetworkExtension Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Connecting to a VPN server may leak DNS queries to a DNS proxy Description: A logic issue was addressed with improved state management. CVE-2018-4369: an anonymous researcher
Perl Available for: macOS Sierra 10.12.6 Impact: Multiple buffer overflow issues existed in Perl Description: Multiple issues in Perl were addressed with improved memory handling. CVE-2018-6797: Brian Carpenter
Ruby Available for: macOS Sierra 10.12.6 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple issues in Ruby were addressed in this update. CVE-2017-898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing a maliciously crafted S/MIME signed message may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd.
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A local user may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2018-4395: Patrick Wardle of Digita Security
Spotlight Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4393: Lufeng Li
Symptom Framework Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative
WiFi Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile Networking Lab at Technische UniversitA$?t Darmstadt
Additional recognition
Calendar We would like to acknowledge an anonymous researcher for their assistance.
iBooks We would like to acknowledge Sem VoigtlA$?nder of Fontys Hogeschool ICT for their assistance.
Kernel We would like to acknowledge Brandon Azad for their assistance.
LaunchServices We would like to acknowledge Alok Menghrajani of Square for their assistance.
Quick Look We would like to acknowledge lokihardt of Google Project Zero for their assistance.
Security We would like to acknowledge Marinos Bernitsas of Parachute for their assistance.
Terminal We would like to acknowledge an anonymous researcher for their assistance.
Installation note:
macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and Security Update 2018-005 Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3EcGQ// QbUbTOZRgxcStGZjs+qdXjeaXI6i1MKaky7o/iYCXf87crFu79PCsXyPU1jeMvoS tgDxz7ornlyaxR4wcSYzfcuIeY2ZH+dkxc7JJHQbKTW1dWYHpXUUzzNm+Ay/Gtk+ 2EIAgJ9oUf8FARR5cmcKBZfLFVdc40vpM3bBCV4m2Kr5KiDsqZKdZTujBQRccAsO HKRbhDecw0WX/CfEbLprs86uIXFMIoifhmh8LMebjzIQn2ozoFG6R31vMMHeDpir zf0xlVCJrJy/XywmkodhBWWrUWcM0hfsJ8EmyIBwFEYUxFhOV3D+x3rStd2kjyNL LG9oWclxDkjImQXdrL8IRAQfZvcVQFZK2vSGCYfRN0LY105sxjPjeIsJ0RORzcSN 2mlDR1UuTosk0GleDbmhv/ornfOc537UebwuHVWU5LpPNFkvY1Cv8zPrQAHewuod TmktkNuv2x2fgw9g7ntE88UBF9JMC+Ofs/FgJ67RkoT4R39P7VvaztHlmxmr/rIw TrSs7TDVqciz+DOMRKxyNPI1cpXM5ITCTvgbY4+RWwaFJzfgY+Gc+sldvVcb1x9I LlsI19MA0bsvi+ReOcLbWYuEHaVhVqZ7LndxR9m2gJ39L9jff+dOsSlznF4OLs+S t7Rz6i2mOpe6vXobkTUmml3m3zYIhL3XcdcYpw3U0F8= =uhgi -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2018-10-30-9 Additional information for APPLE-SA-2018-9-24-1 macOS Mojave 10.14
macOS Mojave 10.14 addresses the following:
Bluetooth Available for: iMac (21.5-inch, Late 2012), iMac (27-inch, Late 2012) , iMac (21.5-inch, Late 2013), iMac (21.5-inch, Mid 2014), iMac (Retina 5K, 27-inch, Late 2014), iMac (21.5-inch, Late 2015), Mac mini (Mid 2011), Mac mini Server (Mid 2011), Mac mini (Late 2012) , Mac mini Server (Late 2012), Mac mini (Late 2014), Mac Pro (Late 2013), MacBook Air (11-inch, Mid 2011), MacBook Air (13-inch, Mid 2011), MacBook Air (11-inch, Mid 2012), MacBook Air (13-inch, Mid 2012), MacBook Air (11-inch, Mid 2013), MacBook Air (13-inch, Mid 2013), MacBook Air (11-inch, Early 2015), MacBook Air (13-inch, Early 2015), MacBook Pro (13-inch, Mid 2012), MacBook Pro (15-inch, Mid 2012), MacBook Pro (Retina, 13-inch, Early 2013), MacBook Pro (Retina, 15-inch, Early 2013), MacBook Pro (Retina, 13-inch, Late 2013), and MacBook Pro (Retina, 15-inch, Late 2013) Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. CVE-2018-5383: Lior Neumann and Eli Biham
The updates below are available for these Mac models: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013, Mid 2010, and Mid 2012 models with recommended Metal-capable graphics processor, including MSI Gaming Radeon RX 560 and Sapphire Radeon PULSE RX 580)
afpserver Impact: A remote attacker may be able to attack AFP servers through HTTP clients Description: An input validation issue was addressed with improved input validation. CVE-2018-4324: Sergii Kryvoblotskyi of MacPaw Inc. CVE-2018-4353: Abhinav Bansal of LinkedIn Inc. CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. CVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend Micro's Zero Day Initiative Entry added October 30, 2018
Additional recognition
Accessibility Framework We would like to acknowledge Ryan Govostes for their assistance.
Mail We would like to acknowledge Alessandro Avagliano of Rocket Internet SE, John Whitehead of The New York Times, Kelvin Delbarre of Omicron Software Systems, and Zbyszek A>>A3Akiewski for their assistance.
Security We would like to acknowledge Christoph Sinai, Daniel Dudek (@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak) of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson Ding, and an anonymous researcher for their assistance
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1361",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mac os x",
"scope": "lt",
"trust": 1.8,
"vendor": "apple",
"version": "10.14"
},
{
"model": "icloud",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "for windows 7.8 earlier"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12.1 earlier"
},
{
"model": "itunes",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12.9.1 earlier"
},
{
"model": "macos high sierra",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "(security update 2018-001 not applied )"
},
{
"model": "macos mojave",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "10.14.1 earlier"
},
{
"model": "macos sierra",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "(security update 2018-005 not applied )"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12.0.1 earlier"
},
{
"model": "tvos",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12.1 earlier"
},
{
"model": "watchos",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "5.1 earlier"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.12.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "macos mojave",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "10.14 earlier"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apple:icloud",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:iphone_os",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:itunes",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_high_sierra",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_mojave",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_sierra",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:safari",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:apple_tv",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:watchos",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
}
],
"trust": 0.6
},
"cve": "CVE-2018-4295",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-4295",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-134326",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-4295",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-4295",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-4295",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-1463",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-134326",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-4295",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134326"
},
{
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
},
{
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: Detail is Apple See the information provided by. * HTTP Through the client AFP Server attack * Arbitrary code execution * information leak * Buffer overflow * Privilege escalation * Service operation interruption (DoS) * File system tampering * UI Spoofing * Limit avoidance * Cross-site scripting * Address bar impersonation. macOS Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple macOS Mojave is a set of dedicated operating systems developed by Apple for Mac computers. afpserver is one of the Apple Archive Protocol server components. An input validation error vulnerability exists in the afpserver component of Apple macOS Mojave prior to 10.14. Remote attackers can exploit this vulnerability to attack the AFP server through the HTTP client. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001\nHigh Sierra, Security Update 2018-005 Sierra\n\nmacOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and\nSecurity Update 2018-005 Sierra are now available and address\nthe following:\n\nafpserver\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A remote attacker may be able to attack AFP servers through\nHTTP clients\nDescription: An input validation issue was addressed with improved\ninput validation. \nCVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC\nBerkeley\n\nAppleGraphicsControl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2018-4410: an anonymous researcher working with Trend Micro\u0027s\nZero Day Initiative\n\nAppleGraphicsControl\nAvailable for: macOS High Sierra 10.13.6\nImpact: An application may be able to read restricted memory\nDescription: A validation issue was addressed with improved input\nsanitization. \nCVE-2018-4417: Lee of the Information Security Lab Yonsei University\nworking with Trend Micro\u0027s Zero Day Initiative\n\nAPR\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: Multiple buffer overflow issues existed in Perl\nDescription: Multiple issues in Perl were addressed with improved\nmemory handling. \nCVE-2017-12613: Craig Young of Tripwire VERT\nCVE-2017-12618: Craig Young of Tripwire VERT\n\nATS\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A malicious application may be able to elevate privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend\nMicro\u0027s Zero Day Initiative\n\nATS\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2018-4308: Mohamed Ghannam (@_simo36)\n\nCFNetwork\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro\u0027s Zero\nDay Initiative\n\nCoreAnimation\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4415: Liang Zhuo working with Beyond Security\u0027s SecuriTeam\nSecure Disclosure\n\nCoreCrypto\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An attacker may be able to exploit a weakness in the\nMiller-Rabin primality test to incorrectly identify prime numbers\nDescription: An issue existed in the method for determining prime\nnumbers. This issue was addressed by using pseudorandom bases for\ntesting of primes. \nCVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of\nRoyal Holloway, University of London, and Juraj Somorovsky of Ruhr\nUniversity, Bochum\n\nCoreFoundation\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A malicious application may be able to elevate privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2018-4412: The UK\u0027s National Cyber Security Centre (NCSC)\n\nCUPS\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: In certain configurations, a remote attacker may be able to\nreplace the message content from the print server with arbitrary\ncontent\nDescription: An injection issue was addressed with improved\nvalidation. \nCVE-2018-4153: Michael Hanselmann of hansmi.ch\n\nCUPS\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An attacker in a privileged position may be able to perform a\ndenial of service attack\nDescription: A denial of service issue was addressed with improved\nvalidation. \nCVE-2018-4406: Michael Hanselmann of hansmi.ch\n\nDictionary\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: Parsing a maliciously crafted dictionary file may lead to\ndisclosure of user information\nDescription: A validation issue existed which allowed local file\naccess. \nCVE-2018-4346: Wojciech ReguAa (@_r3ggi) of SecuRing\n\nDock\nAvailable for: macOS Mojave 10.14\nImpact: A malicious application may be able to access restricted\nfiles\nDescription: This issue was addressed by removing additional\nentitlements. \nCVE-2018-4403: Patrick Wardle of Digita Security\n\ndyld\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: A malicious application may be able to elevate privileges\nDescription: A logic issue was addressed with improved validation. \nCVE-2018-4423: an anonymous researcher\n\nEFI\nAvailable for: macOS High Sierra 10.13.6\nImpact: Systems with microprocessors utilizing speculative execution\nand speculative execution of memory reads before the addresses of all\nprior memory writes are known may allow unauthorized disclosure of\ninformation to an attacker with local user access via a side-channel\nanalysis\nDescription: An information disclosure issue was addressed with a\nmicrocode update. This ensures that older data read from\nrecently-written-to addresses cannot be read via a speculative\nside-channel. \nCVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken\nJohnson of the Microsoft Security Response Center (MSRC)\n\nEFI\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14\nImpact: A local user may be able to modify protected parts of the\nfile system\nDescription: A configuration issue was addressed with additional\nrestrictions. \nCVE-2018-4342: Timothy Perfitt of Twocanoes Software\n\nFoundation\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: Processing a maliciously crafted text file may lead to a\ndenial of service\nDescription: A denial of service issue was addressed with improved\nvalidation. \nCVE-2018-4304: jianan.huang (@Sevck)\n\nGrand Central Dispatch\nAvailable for: macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4426: Brandon Azad\n\nHeimdal\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4331: Brandon Azad\n\nHypervisor\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: Systems with microprocessors utilizing speculative execution\nand address translations may allow unauthorized disclosure of\ninformation residing in the L1 data cache to an attacker with local\nuser access with guest OS privilege via a terminal page fault and a\nside-channel analysis\nDescription: An information disclosure issue was addressed by\nflushing the L1 data cache at the virtual machine entry. \nCVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas\nF. Wenisch of University of Michigan, Mark Silberstein and Marina\nMinkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens\nof KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu\nof Intel Corporation, Yuval Yarom of The University of Adelaide\n\nHypervisor\nAvailable for: macOS Sierra 10.12.6\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption vulnerability was addressed with\nimproved locking. \nCVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team\n\nICU\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: Processing a maliciously crafted string may lead to heap\ncorruption\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2018-4394: an anonymous researcher\n\nIntel Graphics Driver\nAvailable for: macOS Sierra 10.12.6\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4334: Ian Beer of Google Project Zero\n\nIntel Graphics Driver\nAvailable for: macOS High Sierra 10.13.6\nImpact: An application may be able to read restricted memory\nDescription: A validation issue was addressed with improved input\nsanitization. \nCVE-2018-4396: Yu Wang of Didi Research America\nCVE-2018-4418: Yu Wang of Didi Research America\n\nIntel Graphics Driver\nAvailable for: macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2018-4350: Yu Wang of Didi Research America\n\nIOGraphics\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4422: an anonymous researcher working with Trend Micro\u0027s\nZero Day Initiative\n\nIOHIDFamily\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation\nCVE-2018-4408: Ian Beer of Google Project Zero\n\nIOKit\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4402: Proteas of Qihoo 360 Nirvan Team\n\nIOKit\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A malicious application may be able to break out of its\nsandbox\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4341: Ian Beer of Google Project Zero\nCVE-2018-4354: Ian Beer of Google Project Zero\n\nIOUserEthernet\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4401: Apple\n\nIPSec\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to gain elevated privileges\nDescription: An out-of-bounds read was addressed with improved input\nvalidation. \nCVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed by removing the\nvulnerable code. \nCVE-2018-4420: Mohamed Ghannam (@_simo36)\n\nKernel\nAvailable for: macOS High Sierra 10.13.6\nImpact: A malicious application may be able to leak sensitive user\ninformation\nDescription: An access issue existed with privileged API calls. \nCVE-2018-4399: Fabiano Anemone (@anoane)\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4340: Mohamed Ghannam (@_simo36)\nCVE-2018-4419: Mohamed Ghannam (@_simo36)\nCVE-2018-4425: cc working with Trend Micro\u0027s Zero Day Initiative,\nJuwei Lin (@panicaII) of Trend Micro working with Trend Micro\u0027s Zero\nDay Initiative\n\nKernel\nAvailable for: macOS Sierra 10.12.6\nImpact: Mounting a maliciously crafted NFS network share may lead to\narbitrary code execution with system privileges\nDescription: Multiple memory corruption issues were addressed with\nimproved memory handling. \nCVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com\nCVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com\nCVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com\nCVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com\nCVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An application may be able to read restricted memory\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security\nTeam\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An attacker in a privileged network position may be able to\nexecute arbitrary code\nDescription: A memory corruption issue was addressed with improved\nvalidation. \nCVE-2018-4407: Kevin Backhouse of Semmle Ltd. \n\nKernel\nAvailable for: macOS Mojave 10.14\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2018-4424: Dr. Silvio Cesare of InfoSect\n\nLogin Window\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A local user may be able to cause a denial of service\nDescription: A validation issue was addressed with improved logic. \nCVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of\nMWR InfoSecurity\n\nMail\nAvailable for: macOS Mojave 10.14\nImpact: Processing a maliciously crafted mail message may lead to UI\nspoofing\nDescription: An inconsistent user interface issue was addressed with\nimproved state management. \nCVE-2018-4389: Dropbox Offensive Security Team, Theodor Ragnar\nGislason of Syndis\n\nmDNSOffloadUserClient\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4326: an anonymous researcher working with Trend Micro\u0027s\nZero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team\n\nMediaRemote\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A sandboxed process may be able to circumvent sandbox\nrestrictions\nDescription: An access issue was addressed with additional sandbox\nrestrictions. \nCVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs\n\nMicrocode\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: Systems with microprocessors utilizing speculative execution\nand that perform speculative reads of system registers may allow\nunauthorized disclosure of system parameters to an attacker with\nlocal user access via a side-channel analysis\nDescription: An information disclosure issue was addressed with a\nmicrocode update. This ensures that implementation specific system\nregisters cannot be leaked via a speculative execution side-channel. \nCVE-2018-3640: Innokentiy Sennovskiy from BiZone LLC (bi.zone),\nZdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (sysgo.com)\n\nNetworkExtension\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14\nImpact: Connecting to a VPN server may leak DNS queries to a DNS\nproxy\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2018-4369: an anonymous researcher\n\nPerl\nAvailable for: macOS Sierra 10.12.6\nImpact: Multiple buffer overflow issues existed in Perl\nDescription: Multiple issues in Perl were addressed with improved\nmemory handling. \nCVE-2018-6797: Brian Carpenter\n\nRuby\nAvailable for: macOS Sierra 10.12.6\nImpact: A remote attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: Multiple issues in Ruby were addressed in this update. \nCVE-2017-898\nCVE-2017-10784\nCVE-2017-14033\nCVE-2017-14064\nCVE-2017-17405\nCVE-2017-17742\nCVE-2018-6914\nCVE-2018-8777\nCVE-2018-8778\nCVE-2018-8779\nCVE-2018-8780\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: Processing a maliciously crafted S/MIME signed message may\nlead to a denial of service\nDescription: A validation issue was addressed with improved logic. \nCVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd. \n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: A local user may be able to cause a denial of service\nDescription: This issue was addressed with improved checks. \nCVE-2018-4395: Patrick Wardle of Digita Security\n\nSpotlight\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4393: Lufeng Li\n\nSymptom Framework\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\nImpact: An application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro\u0027s Zero\nDay Initiative\n\nWiFi\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: An attacker in a privileged position may be able to perform a\ndenial of service attack\nDescription: A denial of service issue was addressed with improved\nvalidation. \nCVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile\nNetworking Lab at Technische UniversitA$?t Darmstadt\n\nAdditional recognition\n\nCalendar\nWe would like to acknowledge an anonymous researcher for their\nassistance. \n\niBooks\nWe would like to acknowledge Sem VoigtlA$?nder of Fontys Hogeschool \nICT for their assistance. \n\nKernel\nWe would like to acknowledge Brandon Azad for their assistance. \n\nLaunchServices\nWe would like to acknowledge Alok Menghrajani of Square for their\nassistance. \n\nQuick Look\nWe would like to acknowledge lokihardt of Google Project Zero for\ntheir assistance. \n\nSecurity\nWe would like to acknowledge Marinos Bernitsas of Parachute for their\nassistance. \n\nTerminal\nWe would like to acknowledge an anonymous researcher for their\nassistance. \n\nInstallation note:\n\nmacOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and\nSecurity Update 2018-005 Sierra may be obtained from the\nMac App Store or Apple\u0027s Software Downloads web site:\nhttps://support.apple.com/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt\nc2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3EcGQ//\nQbUbTOZRgxcStGZjs+qdXjeaXI6i1MKaky7o/iYCXf87crFu79PCsXyPU1jeMvoS\ntgDxz7ornlyaxR4wcSYzfcuIeY2ZH+dkxc7JJHQbKTW1dWYHpXUUzzNm+Ay/Gtk+\n2EIAgJ9oUf8FARR5cmcKBZfLFVdc40vpM3bBCV4m2Kr5KiDsqZKdZTujBQRccAsO\nHKRbhDecw0WX/CfEbLprs86uIXFMIoifhmh8LMebjzIQn2ozoFG6R31vMMHeDpir\nzf0xlVCJrJy/XywmkodhBWWrUWcM0hfsJ8EmyIBwFEYUxFhOV3D+x3rStd2kjyNL\nLG9oWclxDkjImQXdrL8IRAQfZvcVQFZK2vSGCYfRN0LY105sxjPjeIsJ0RORzcSN\n2mlDR1UuTosk0GleDbmhv/ornfOc537UebwuHVWU5LpPNFkvY1Cv8zPrQAHewuod\nTmktkNuv2x2fgw9g7ntE88UBF9JMC+Ofs/FgJ67RkoT4R39P7VvaztHlmxmr/rIw\nTrSs7TDVqciz+DOMRKxyNPI1cpXM5ITCTvgbY4+RWwaFJzfgY+Gc+sldvVcb1x9I\nLlsI19MA0bsvi+ReOcLbWYuEHaVhVqZ7LndxR9m2gJ39L9jff+dOsSlznF4OLs+S\nt7Rz6i2mOpe6vXobkTUmml3m3zYIhL3XcdcYpw3U0F8=\n=uhgi\n-----END PGP SIGNATURE-----\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2018-10-30-9 Additional information for\nAPPLE-SA-2018-9-24-1 macOS Mojave 10.14\n\nmacOS Mojave 10.14 addresses the following:\n\nBluetooth\nAvailable for: iMac (21.5-inch, Late 2012), iMac (27-inch, Late 2012)\n, iMac (21.5-inch, Late 2013), iMac (21.5-inch, Mid 2014), iMac\n(Retina 5K, 27-inch, Late 2014), iMac (21.5-inch, Late 2015),\nMac mini (Mid 2011), Mac mini Server (Mid 2011), Mac mini (Late 2012)\n, Mac mini Server (Late 2012), Mac mini (Late 2014), Mac Pro\n(Late 2013), MacBook Air (11-inch, Mid 2011), MacBook Air\n(13-inch, Mid 2011), MacBook Air (11-inch, Mid 2012), MacBook Air\n(13-inch, Mid 2012), MacBook Air (11-inch, Mid 2013), MacBook Air\n(13-inch, Mid 2013), MacBook Air (11-inch, Early 2015), MacBook Air\n(13-inch, Early 2015), MacBook Pro (13-inch, Mid 2012), MacBook Pro\n(15-inch, Mid 2012), MacBook Pro (Retina, 13-inch, Early 2013),\nMacBook Pro (Retina, 15-inch, Early 2013), MacBook Pro (Retina,\n13-inch, Late 2013), and MacBook Pro (Retina, 15-inch, Late 2013)\nImpact: An attacker in a privileged network position may be able to\nintercept Bluetooth traffic\nDescription: An input validation issue existed in Bluetooth. \nCVE-2018-5383: Lior Neumann and Eli Biham\n\nThe updates below are available for these Mac models:\nMacBook (Early 2015 and later), MacBook Air (Mid 2012 and later),\nMacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later),\niMac (Late 2012 and later), iMac Pro (all models), Mac Pro\n(Late 2013, Mid 2010, and Mid 2012 models with recommended\nMetal-capable graphics processor, including MSI Gaming Radeon RX 560\nand Sapphire Radeon PULSE RX 580)\n\nafpserver\nImpact: A remote attacker may be able to attack AFP servers through\nHTTP clients\nDescription: An input validation issue was addressed with improved\ninput validation. \nCVE-2018-4324: Sergii Kryvoblotskyi of MacPaw Inc. \nCVE-2018-4353: Abhinav Bansal of LinkedIn Inc. \nCVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. \nCVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend\nMicro\u0027s Zero Day Initiative\nEntry added October 30, 2018\n\nAdditional recognition\n\nAccessibility Framework\nWe would like to acknowledge Ryan Govostes for their assistance. \n\nMail\nWe would like to acknowledge Alessandro Avagliano of Rocket Internet\nSE, John Whitehead of The New York Times, Kelvin Delbarre of Omicron\nSoftware Systems, and Zbyszek A\u003e\u003eA3Akiewski for their assistance. \n\nSecurity\nWe would like to acknowledge Christoph Sinai, Daniel Dudek\n(@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak)\nof ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of\nShapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson\nDing, and an anonymous researcher for their assistance",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-4295"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"db": "VULHUB",
"id": "VHN-134326"
},
{
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"db": "PACKETSTORM",
"id": "150108"
},
{
"db": "PACKETSTORM",
"id": "150116"
}
],
"trust": 3.42
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-4295",
"trust": 2.8
},
{
"db": "JVN",
"id": "JVNVU96365720",
"trust": 1.6
},
{
"db": "JVN",
"id": "JVNVU99356481",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008908",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1463",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-134326",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-4295",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150108",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150116",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134326"
},
{
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"db": "PACKETSTORM",
"id": "150108"
},
{
"db": "PACKETSTORM",
"id": "150116"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
},
{
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"id": "VAR-201904-1361",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-134326"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:26:26.125000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "About the security content of macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra",
"trust": 1.6,
"url": "https://support.apple.com/en-us/HT209193"
},
{
"title": "HT209139",
"trust": 1.6,
"url": "https://support.apple.com/en-us/HT209139"
},
{
"title": "About the security content of iTunes 12.9.1",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209197"
},
{
"title": " About the security content of iCloud for Windows 7.8 ",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209198"
},
{
"title": "About the security content of Safari 12.0.1",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209196"
},
{
"title": " About the security content of tvOS 12.1",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209194"
},
{
"title": " About the security content of iOS 12.1",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209192"
},
{
"title": " About the security content of watchOS 5.1",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT209195"
},
{
"title": "HT209139",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209139"
},
{
"title": "HT209193",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT209193"
},
{
"title": "Apple macOS Sierra afpserver Enter the fix for the verification vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86441"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134326"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209139"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209193"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4295"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu96365720/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4295"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu96365720/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu99356481/index.html"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu99356481/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12618"
},
{
"trust": 0.2,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4203"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4334"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4308"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4326"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4153"
},
{
"trust": 0.2,
"url": "https://support.apple.com/downloads/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4340"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4304"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4126"
},
{
"trust": 0.2,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4331"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4310"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-3646"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12613"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-3639"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://seclists.org/fulldisclosure/2018/nov/16"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14064"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-10784"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4288"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-17405"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-3640"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4291"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4286"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14033"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4259"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4242"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-17742"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4287"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4338"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4324"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5334"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1777"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5333"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4333"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4341"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3194"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4321"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4337"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134326"
},
{
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"db": "PACKETSTORM",
"id": "150108"
},
{
"db": "PACKETSTORM",
"id": "150116"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
},
{
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-134326"
},
{
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"db": "PACKETSTORM",
"id": "150108"
},
{
"db": "PACKETSTORM",
"id": "150116"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
},
{
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-03T00:00:00",
"db": "VULHUB",
"id": "VHN-134326"
},
{
"date": "2019-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"date": "2018-11-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"date": "2019-04-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"date": "2018-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"date": "2018-10-31T15:50:04",
"db": "PACKETSTORM",
"id": "150108"
},
{
"date": "2018-10-31T16:10:50",
"db": "PACKETSTORM",
"id": "150116"
},
{
"date": "2018-10-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1463"
},
{
"date": "2019-04-03T18:29:05.860000",
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-04T00:00:00",
"db": "VULHUB",
"id": "VHN-134326"
},
{
"date": "2019-04-04T00:00:00",
"db": "VULMON",
"id": "CVE-2018-4295"
},
{
"date": "2018-11-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-008908"
},
{
"date": "2019-04-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014937"
},
{
"date": "2018-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-007762"
},
{
"date": "2019-04-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1463"
},
{
"date": "2024-11-21T04:07:08.613000",
"db": "NVD",
"id": "CVE-2018-4295"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Apple Updates to product vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-008908"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1463"
}
],
"trust": 0.6
}
}
ghsa-wfmf-9fg9-6h9p
Vulnerability from github
An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.
{
"affected": [],
"aliases": [
"CVE-2018-4295"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-03T18:29:00Z",
"severity": "CRITICAL"
},
"details": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.",
"id": "GHSA-wfmf-9fg9-6h9p",
"modified": "2022-05-14T01:13:32Z",
"published": "2022-05-14T01:13:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4295"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209139"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
cnvd-2018-25378
Vulnerability from cnvd
厂商已发布漏洞修复程序,请及时关注更新: https://support.apple.com/en-us/HT209193
| Name | ['Apple macOS Sierra 10.12.6', 'Apple macOS High Sierra 10.13.6'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-4295"
}
},
"description": "macOS\u662f\u82f9\u679c\u516c\u53f8\u4e3aMac\u7cfb\u5217\u4ea7\u54c1\u5f00\u53d1\u7684\u4e13\u5c5e\u64cd\u4f5c\u7cfb\u7edf\u3002\n\nApple macOS Sierra 10.12.6\u3001macOS High Sierra 10.13.6\u4e2d\u7684afpserver\u5b58\u5728AFP\u670d\u52a1\u5668\u653b\u51fb\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7HTTP\u5ba2\u6237\u7aef\u5229\u7528\u8be5\u6f0f\u6d1e\u653b\u51fbAFP\u670d\u52a1\u5668\u3002",
"discovererName": "Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.apple.com/en-us/HT209193",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-25378",
"openTime": "2018-12-14",
"patchDescription": "macOS\u662f\u82f9\u679c\u516c\u53f8\u4e3aMac\u7cfb\u5217\u4ea7\u54c1\u5f00\u53d1\u7684\u4e13\u5c5e\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nApple macOS Sierra 10.12.6\u3001macOS High Sierra 10.13.6\u4e2d\u7684afpserver\u5b58\u5728AFP\u670d\u52a1\u5668\u653b\u51fb\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7HTTP\u5ba2\u6237\u7aef\u5229\u7528\u8be5\u6f0f\u6d1e\u653b\u51fbAFP\u670d\u52a1\u5668\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apple macOS AFP\u670d\u52a1\u5668\u653b\u51fb\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Apple macOS Sierra 10.12.6",
"Apple macOS High Sierra 10.13.6"
]
},
"referenceLink": "https://support.apple.com/en-us/HT209193",
"serverity": "\u9ad8",
"submitTime": "2018-11-02",
"title": "Apple macOS AFP\u670d\u52a1\u5668\u653b\u51fb\u6f0f\u6d1e"
}
CERTFR-2018-AVI-524
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Apple. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
None| Vendor | Product | Description | ||
|---|---|---|---|---|
| Apple | Safari | Safari versions antérieures à 12.0.1 | ||
| Apple | macOS | macOS Sierra versions antérieures à 10.12.6 | ||
| Apple | N/A | iOS versions antérieures à 12.1 | ||
| Apple | N/A | watchOS versions antérieures à 5.1 | ||
| Apple | macOS | macOS High Sierra versions antérieures à 10.13.6 | ||
| Apple | N/A | tvOS versions antérieures à 12.1 | ||
| Apple | N/A | iCloud for Windows versions antérieures à 7.8 | ||
| Apple | macOS | macOS Mojave versions antérieures à 10.14 | ||
| Apple | N/A | iTunes versions antérieures à 12.9.1 |
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Safari versions ant\u00e9rieures \u00e0 12.0.1",
"product": {
"name": "Safari",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "macOS Sierra versions ant\u00e9rieures \u00e0 10.12.6",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iOS versions ant\u00e9rieures \u00e0 12.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "watchOS versions ant\u00e9rieures \u00e0 5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "macOS High Sierra versions ant\u00e9rieures \u00e0 10.13.6",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "tvOS versions ant\u00e9rieures \u00e0 12.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iCloud for Windows versions ant\u00e9rieures \u00e0 7.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "macOS Mojave versions ant\u00e9rieures \u00e0 10.14",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iTunes versions ant\u00e9rieures \u00e0 12.9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-4310",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4310"
},
{
"name": "CVE-2017-14033",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-14033"
},
{
"name": "CVE-2018-4391",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4391"
},
{
"name": "CVE-2018-8777",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8777"
},
{
"name": "CVE-2018-4368",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4368"
},
{
"name": "CVE-2018-4395",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4395"
},
{
"name": "CVE-2018-4425",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4425"
},
{
"name": "CVE-2018-4259",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4259"
},
{
"name": "CVE-2018-4400",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4400"
},
{
"name": "CVE-2018-4415",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4415"
},
{
"name": "CVE-2018-4427",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4427"
},
{
"name": "CVE-2018-4369",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4369"
},
{
"name": "CVE-2018-4396",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4396"
},
{
"name": "CVE-2018-4291",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4291"
},
{
"name": "CVE-2017-12618",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12618"
},
{
"name": "CVE-2018-4374",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4374"
},
{
"name": "CVE-2017-10784",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10784"
},
{
"name": "CVE-2018-4350",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4350"
},
{
"name": "CVE-2018-4386",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4386"
},
{
"name": "CVE-2018-4417",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4417"
},
{
"name": "CVE-2018-4331",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4331"
},
{
"name": "CVE-2018-4398",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4398"
},
{
"name": "CVE-2018-4412",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4412"
},
{
"name": "CVE-2018-4420",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4420"
},
{
"name": "CVE-2017-14064",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-14064"
},
{
"name": "CVE-2018-4392",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4392"
},
{
"name": "CVE-2018-4409",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4409"
},
{
"name": "CVE-2018-8778",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8778"
},
{
"name": "CVE-2018-4419",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4419"
},
{
"name": "CVE-2018-4371",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4371"
},
{
"name": "CVE-2018-4348",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4348"
},
{
"name": "CVE-2018-4382",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4382"
},
{
"name": "CVE-2018-4424",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4424"
},
{
"name": "CVE-2017-12613",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12613"
},
{
"name": "CVE-2018-4288",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4288"
},
{
"name": "CVE-2018-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4203"
},
{
"name": "CVE-2017-0898",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0898"
},
{
"name": "CVE-2018-8779",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8779"
},
{
"name": "CVE-2018-4402",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4402"
},
{
"name": "CVE-2018-4377",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4377"
},
{
"name": "CVE-2018-4378",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4378"
},
{
"name": "CVE-2018-4341",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4341"
},
{
"name": "CVE-2018-3639",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3639"
},
{
"name": "CVE-2018-4426",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4426"
},
{
"name": "CVE-2018-4367",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4367"
},
{
"name": "CVE-2018-4399",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4399"
},
{
"name": "CVE-2018-4342",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4342"
},
{
"name": "CVE-2018-4389",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4389"
},
{
"name": "CVE-2018-4403",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4403"
},
{
"name": "CVE-2018-4411",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4411"
},
{
"name": "CVE-2018-4408",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4408"
},
{
"name": "CVE-2018-4375",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4375"
},
{
"name": "CVE-2018-4418",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4418"
},
{
"name": "CVE-2018-4340",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4340"
},
{
"name": "CVE-2018-4394",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4394"
},
{
"name": "CVE-2018-4365",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4365"
},
{
"name": "CVE-2018-6797",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-6797"
},
{
"name": "CVE-2018-4308",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4308"
},
{
"name": "CVE-2018-4126",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4126"
},
{
"name": "CVE-2018-4376",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4376"
},
{
"name": "CVE-2017-17742",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17742"
},
{
"name": "CVE-2018-4286",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4286"
},
{
"name": "CVE-2018-4334",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4334"
},
{
"name": "CVE-2018-4304",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4304"
},
{
"name": "CVE-2018-4393",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4393"
},
{
"name": "CVE-2018-4354",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4354"
},
{
"name": "CVE-2018-4406",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4406"
},
{
"name": "CVE-2018-4372",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4372"
},
{
"name": "CVE-2018-3646",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3646"
},
{
"name": "CVE-2018-4287",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4287"
},
{
"name": "CVE-2018-8780",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8780"
},
{
"name": "CVE-2018-6914",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-6914"
},
{
"name": "CVE-2018-4423",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4423"
},
{
"name": "CVE-2018-4385",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4385"
},
{
"name": "CVE-2018-4153",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4153"
},
{
"name": "CVE-2018-3640",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3640"
},
{
"name": "CVE-2018-4388",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4388"
},
{
"name": "CVE-2018-4373",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4373"
},
{
"name": "CVE-2018-4295",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4295"
},
{
"name": "CVE-2018-4416",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4416"
},
{
"name": "CVE-2018-4366",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4366"
},
{
"name": "CVE-2018-4401",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4401"
},
{
"name": "CVE-2018-4410",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4410"
},
{
"name": "CVE-2018-4242",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4242"
},
{
"name": "CVE-2018-4384",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4384"
},
{
"name": "CVE-2018-4422",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4422"
},
{
"name": "CVE-2018-4413",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4413"
},
{
"name": "CVE-2018-4407",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4407"
},
{
"name": "CVE-2018-4346",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4346"
},
{
"name": "CVE-2017-17405",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17405"
},
{
"name": "CVE-2018-4387",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4387"
},
{
"name": "CVE-2018-4326",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4326"
},
{
"name": "CVE-2018-4390",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4390"
}
],
"initial_release_date": "2018-10-31T00:00:00",
"last_revision_date": "2018-10-31T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-524",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-10-31T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Apple.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Apple",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209192 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209192"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209193 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209193"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209195 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209195"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209196 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209196"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209197 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209197"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209194 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209194"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209198 du 30 octobre 2018",
"url": "https://support.apple.com/en-us/HT209198"
}
]
}
gsd-2018-4295
Vulnerability from gsd
{
"GSD": {
"alias": "CVE-2018-4295",
"description": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.",
"id": "GSD-2018-4295"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-4295"
],
"details": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.",
"id": "GSD-2018-4295",
"modified": "2023-12-13T01:22:28.464023Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "product-security@apple.com",
"ID": "CVE-2018-4295",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "macOS",
"version": {
"version_data": [
{
"version_value": "Versions prior to: macOS Mojave 10.14"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "A remote attacker may be able to attack AFP servers through HTTP clients"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT209193",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209193"
},
{
"name": "https://support.apple.com/kb/HT209139",
"refsource": "MISC",
"url": "https://support.apple.com/kb/HT209139"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "10.14",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "product-security@apple.com",
"ID": "CVE-2018-4295"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT209193",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209193"
},
{
"name": "https://support.apple.com/kb/HT209139",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209139"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-04-04T15:56Z",
"publishedDate": "2019-04-03T18:29Z"
}
}
}
fkie_cve-2018-4295
Vulnerability from fkie_nvd
| URL | Tags | ||
|---|---|---|---|
| product-security@apple.com | https://support.apple.com/kb/HT209139 | Vendor Advisory | |
| product-security@apple.com | https://support.apple.com/kb/HT209193 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT209139 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT209193 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E2491B4-5132-44CF-AB9A-FAC1926FE66E",
"versionEndExcluding": "10.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An input validation issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14."
},
{
"lang": "es",
"value": "Un problema de validaci\u00f3n de entradas se abord\u00f3 con una validaci\u00f3n de entradas mejorada. Este problema afectaba a macOS Mojave en versiones anteriores a la 10.14."
}
],
"id": "CVE-2018-4295",
"lastModified": "2024-11-21T04:07:08.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-03T18:29:05.860",
"references": [
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209139"
},
{
"source": "product-security@apple.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209139"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.apple.com/kb/HT209193"
}
],
"sourceIdentifier": "product-security@apple.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.