Apple macOS vulnerabilities

CVE-2014-1355 [MEDIUM] CVE-2014-1355: The IOKit implementation in the kernel in Apple iOS before 7.1.2 and Apple TV before 6.1.2, and in I The IOKit implementation in the kernel in Apple iOS before 7.1.2 and Apple TV before 6.1.2, and in IOReporting in Apple OS X before 10.9.4, allows local users to cause a denial of service (NULL pointer dereference and reboot) via crafted API arguments.

CVE-2014-1370 [MEDIUM] CWE-119 CVE-2014-1370: The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive.

CVE-2014-1361 [MEDIUM] CWE-200 CVE-2014-1361: Secure Transport in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 does Secure Transport in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 does not ensure that a DTLS message is accepted only for a DTLS connection, which allows remote attackers to obtain potentially sensitive information from uninitialized process memory by providing a DTLS message within a TLS connection.

CVE-2014-1380 [LOW] CWE-264 CVE-2014-1380: The Security - Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke The Security - Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke observers, which allows physically proximate attackers to bypass the screen-lock protection mechanism, and enter characters into an arbitrary window under the lock window, via keyboard input.

CVE-2014-1375 [LOW] CWE-264 CVE-2014-1375: Intel Graphics Driver in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection m Intel Graphics Driver in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.

CVE-2014-1317 [LOW] CWE-200 CVE-2014-1317: iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which all iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which allows local users to obtain sensitive information by reading this file.

CVE-2014-1378 [LOW] CWE-264 CVE-2014-1378: IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechan IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.

CVE-2013-7040 [MEDIUM] CVE-2013-7040: Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which ca Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash ta

CVE-2014-1318 [CRITICAL] CWE-20 CVE-2014-1318: The Intel Graphics Driver in Apple OS X through 10.9.2 does not properly validate a certain pointer, The Intel Graphics Driver in Apple OS X through 10.9.2 does not properly validate a certain pointer, which allows attackers to execute arbitrary code via a crafted application.

CVE-2014-1314 [CRITICAL] CWE-264 CVE-2014-1314: WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed applicati WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass the sandbox protection mechanism and execute arbitrary code via a crafted application.

CVE-2014-1296 [MEDIUM] CWE-264 CVE-2014-1296: CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not e CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated b

CVE-2014-1315 [MEDIUM] CWE-134 CVE-2014-1315: Format string vulnerability in CoreServicesUIAgent in Apple OS X 10.9.x through 10.9.2 allows remote Format string vulnerability in CoreServicesUIAgent in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a URL.

CVE-2014-1316 [MEDIUM] CWE-20 CVE-2014-1316: Heimdal, as used in Apple OS X through 10.9.2, allows remote attackers to cause a denial of service Heimdal, as used in Apple OS X through 10.9.2, allows remote attackers to cause a denial of service (abort and daemon exit) via ASN.1 data encountered in the Kerberos 5 protocol.

CVE-2014-1320 [MEDIUM] CWE-200 CVE-2014-1320: IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 places kernel IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 places kernel pointers into an object data structure, which makes it easier for local users to bypass the ASLR protection mechanism by reading unspecified attributes of the object.

CVE-2014-1319 [MEDIUM] CWE-119 CVE-2014-1319: Buffer overflow in ImageIO in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute ar Buffer overflow in ImageIO in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image.

CVE-2014-1295 [MEDIUM] CWE-287 CVE-2014-1295: Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple T Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake

CVE-2014-1322 [MEDIUM] CWE-200 CVE-2014-1322: The kernel in Apple OS X through 10.9.2 places a kernel pointer into an XNU object data structure ac The kernel in Apple OS X through 10.9.2 places a kernel pointer into an XNU object data structure accessible from user space, which makes it easier for local users to bypass the ASLR protection mechanism by reading an unspecified attribute of the object.

CVE-2014-1321 [LOW] CWE-264 CVE-2014-1321: Power Management in Apple OS X 10.9.x through 10.9.2 allows physically proximate attackers to bypass Power Management in Apple OS X 10.9.x through 10.9.2 allows physically proximate attackers to bypass an intended transition into the locked-screen state by touching (1) a key or (2) the trackpad during a lid-close action.

CVE-2013-7338 [HIGH] CWE-20 CVE-2013-7338: Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

CVE-2013-5704 [MEDIUM] CVE-2013-5704: The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHe The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."