CVE-2014-1296CVE-2014-1296

Affected configuration(s):

cpe:/a:apple:apple_tv:6.0
cpe:/a:apple:apple_tv:6.0.1
cpe:/a:apple:apple_tv:6.0.2
cpe:/a:apple:apple_tv:6.1
cpe:/o:apple:iphone_os:7.0
cpe:/o:apple:iphone_os:7.0.1
cpe:/o:apple:iphone_os:7.0.2
cpe:/o:apple:iphone_os:7.0.3
cpe:/o:apple:iphone_os:7.0.4
cpe:/o:apple:iphone_os:7.0.5
cpe:/o:apple:iphone_os:7.0.6
cpe:/o:apple:iphone_os:7.1
cpe:/o:apple:mac_os_x:10.7.0
cpe:/o:apple:mac_os_x:10.7.1
cpe:/o:apple:mac_os_x:10.7.2
cpe:/o:apple:mac_os_x:10.7.3
cpe:/o:apple:mac_os_x:10.7.4
cpe:/o:apple:mac_os_x:10.7.5
cpe:/o:apple:mac_os_x:10.8.0
cpe:/o:apple:mac_os_x:10.8.1
cpe:/o:apple:mac_os_x:10.8.2
cpe:/o:apple:mac_os_x:10.8.3
cpe:/o:apple:mac_os_x:10.8.4
cpe:/o:apple:mac_os_x:10.8.5
cpe:/o:apple:mac_os_x:10.8.5:supplemental_update
cpe:/o:apple:mac_os_x:10.9
cpe:/o:apple:mac_os_x:10.9.1
cpe:/o:apple:mac_os_x:10.9.2
cpe:/o:apple:mac_os_x_server:10.7.0
cpe:/o:apple:mac_os_x_server:10.7.1
cpe:/o:apple:mac_os_x_server:10.7.2
cpe:/o:apple:mac_os_x_server:10.7.3
cpe:/o:apple:mac_os_x_server:10.7.4
cpe:/o:apple:mac_os_x_server:10.7.5

Date published: 2014-04-23T07:52:59.400-04:00

Date last modified: 2014-04-23T13:36:27.820-04:00

CVSS Score: 4.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html

Summary: CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header’s value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.