CVE-2015-1091 — Sensitive Information Exposure in Apple Iphone OS

CWE-200 — Sensitive Information Exposure4 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 34.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple MAC OS X Apple IOS +1 more

Timeline

PublishedApr 10

Latest updateMay 17

Description

The CFNetwork Session component in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle request headers during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶NVDapple/mac_os_x10.10.2

▶NVDapple/iphone_os8.2

▶Appleapple/ios8.3

▶Appleapple/os_x_yosemite_v10.10.3_and_security_update_2015-004

🔴Vulnerability Details

GHSA

GHSA-638g-4fq4-ffcc: The CFNetwork Session component in Apple iOS before 8↗2022-05-17

▶

📋Vendor Advisories

Apple

CVE-2015-1091: OS X Yosemite v10.10.3 and Security Update 2015-004↗

▶

Apple

CVE-2015-1091: iOS 8.3↗

▶