CVE-2017-2387 — Improper Certificate Validation in Apple Music

CWE-295 — Improper Certificate Validation4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.2%
top 61.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apple Music
Timeline
PublishedApr 7
Latest updateMay 13

Description

The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS vector

CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages1 packages

â–¶NVDapple/apple_music1.2.1

🔴Vulnerability Details

2
GHSA
GHSA-2c64-5hcr-p4hq: The Apple Music (aka com↗2022-05-13
â–¶
CVEList
CVE-2017-2387: The Apple Music (aka com↗2017-04-07
â–¶

📋Vendor Advisories

1
Apple
CVE-2017-2387: Apple Music 2.0 for Android↗2017-04-04
â–¶
CVE-2017-2387 — Improper Certificate Validation | cvebase