CVE-2014-1296

CWE-2643 documents3 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 56.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple MAC OS X Apple Tvos +1 more

Timeline

PublishedApr 23

Latest updateMay 14

Description

CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶NVDapple/tvos6.1+3

▶NVDapple/mac_os_x10.9.2+14

▶NVDapple/iphone_os7.1+7

▶NVDapple/mac_os_x_server6 versions+5

🔴Vulnerability Details

GHSA

GHSA-p58q-h9qg-gj96: CFNetwork in Apple iOS before 7↗2022-05-14

▶

CVEList

CVE-2014-1296: CFNetwork in Apple iOS before 7↗2014-04-23

▶