CVE-2008-3438 — Download of Code Without Integrity Check in Apple MAC OS X

CWE-494 — Download of Code Without Integrity Check CWE-94 — Code Injection3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.4%

top 37.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X

Timeline

PublishedAug 1

Latest updateMay 2

Description

Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

▶NVDapple/mac_os_x10.0.0 — 10.5.4

🔴Vulnerability Details

GHSA

GHSA-c99v-pf2h-3c56: Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan h↗2022-05-02

▶

📐Framework References

CWE

Download of Code Without Integrity Check↗

▶