CVE-2014-4491 — Sensitive Information Exposure in Apple Iphone OS

CWE-200 — Sensitive Information Exposure5 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.5%

top 32.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple MAC OS X Apple Tvos +3 more

Timeline

PublishedJan 30

Latest updateMay 14

Description

The extension APIs in the kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 do not prevent the presence of addresses within an OSBundleMachOHeaders key in a response, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages6 packages

▶NVDapple/tvos7.0.1

▶NVDapple/mac_os_x10.10.1

▶NVDapple/iphone_os8.1.2

▶Appleapple/ios8.1.3

▶Appleapple/apple_tv7.0.3

🔴Vulnerability Details

GHSA

GHSA-w738-hqfg-6rcg: The extension APIs in the kernel in Apple iOS before 8↗2022-05-14

▶

📋Vendor Advisories

Apple

CVE-2014-4491: OS X Yosemite v10.10.2 and Security Update 2015-001↗

▶

Apple

CVE-2014-4491: iOS 8.1.3↗

▶

Apple

CVE-2014-4491: Apple TV 7.0.3↗

▶