CVE-2016-4644

CWE-200 — Information Exposure6 documents4 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 37.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Apple TV Apple Iphone OS Apple MAC OS

Timeline

PublishedJan 11

Latest updateMay 14

Description

In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapple/mac_os10.11.0 — 10.11.6

▶NVDapple/apple_tv< 9.2.2

▶NVDapple/iphone_os< 9.3.3

🔴Vulnerability Details

GHSA

GHSA-p9wg-r6p8-r2pv: In iOS before 9↗2022-05-14

▶

CVEList

CVE-2016-4644: In iOS before 9↗2019-01-11

▶

📋Vendor Advisories

Apple

CVE-2016-4644: OS X El Capitan v10.11.6 and Security Update 2016-004↗2016-07-18

▶

Apple

CVE-2016-4644: tvOS 9.2.2↗2016-07-18

▶

Apple

CVE-2016-4644: iOS 9.3.3↗2016-07-18

▶