CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple » Mac Os X » 10.8.0 : Security Vulnerabilities

Cpe Name:cpe:/o:apple:mac_os_x:10.8.0
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-4446 264 Bypass 2014-10-17 2014-10-21
2.1
None Remote High Single system Partial None None
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a change made by an administrator.
2 CVE-2014-4444 287 +Priv 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
SecurityAgent in Apple OS X before 10.10 does not ensure that a Kerberos ticket is in the cache for the correct user, which allows local users to gain privileges in opportunistic circumstances by leveraging a Fast User Switching login.
3 CVE-2014-4443 20 DoS 2014-10-17 2014-10-21
7.1
None Remote Medium Not required None None Complete
Apple OS X before 10.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted ASN.1 data.
4 CVE-2014-4442 20 DoS 2014-10-17 2014-10-21
4.7
None Local Medium Not required None None Complete
The kernel in Apple OS X before 10.10 allows local users to cause a denial of service (panic) via a message to a system control socket.
5 CVE-2014-4441 264 2014-10-17 2014-10-21
6.8
None Remote Medium Not required Partial Partial Partial
NetFS Client Framework in Apple OS X before 10.10 does not ensure that the disabling of File Sharing is always possible, which allows remote attackers to read or write to files by leveraging a state in which File Sharing is permanently enabled.
6 CVE-2014-4440 16 +Info 2014-10-17 2014-10-21
2.6
None Remote High Not required Partial None None
The MCX Desktop Config Profiles implementation in Apple OS X before 10.10 retains web-proxy settings from uninstalled mobile-configuration profiles, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging access to an unintended proxy server.
7 CVE-2014-4439 200 +Info 2014-10-17 2014-10-21
2.6
None Remote High Not required Partial None None
Mail in Apple OS X before 10.10 does not properly recognize the removal of a recipient address from a message, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading a message intended exclusively for other recipients.
8 CVE-2014-4438 362 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
Race condition in LoginWindow in Apple OS X before 10.10 allows physically proximate attackers to obtain access by leveraging an unattended workstation on which screen locking had been attempted.
9 CVE-2014-4437 20 Bypass 2014-10-17 2014-10-21
4.3
None Remote Medium Not required None Partial None
LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object.
10 CVE-2014-4436 94 DoS 2014-10-17 2014-10-21
5.4
None Remote High Not required None None Complete
IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denial of service (out-of-bounds read operation) via a crafted application.
11 CVE-2014-4435 287 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots.
12 CVE-2014-4434 20 DoS 2014-10-17 2014-10-21
4.9
None Local Low Not required None None Complete
The kernel in Apple OS X before 10.10 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted filename on an HFS filesystem.
13 CVE-2014-4433 119 Exec Code Overflow 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
Heap-based buffer overflow in the kernel in Apple OS X before 10.10 allows physically proximate attackers to execute arbitrary code via crafted resource forks in an HFS filesystem.
14 CVE-2014-4432 310 2014-10-17 2014-10-21
4.0
None Local High Not required Complete None None
fdesetup in Apple OS X before 10.10 does not properly display the encryption status in between a setting-update action and a reboot action, which might make it easier for physically proximate attackers to obtain cleartext data by leveraging ignorance of the reboot requirement.
15 CVE-2014-4431 287 2014-10-17 2014-10-21
4.6
None Local Low Not required Partial Partial Partial
Dock in Apple OS X before 10.10 does not properly manage the screen-lock state, which allows physically proximate attackers to view windows by leveraging an unattended workstation.
16 CVE-2014-4430 310 2014-10-17 2014-10-21
4.0
None Local High Not required Complete None None
CoreStorage in Apple OS X before 10.10 retains a volume's encryption keys upon an eject action in the unlocked state, which makes it easier for physically proximate attackers to obtain cleartext data via a remount.
17 CVE-2014-4428 310 2014-10-17 2014-10-21
5.4
None Local Network Medium Not required Partial Partial Partial
Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing.
18 CVE-2014-4427 264 Bypass 2014-10-17 2014-10-21
5.0
None Remote Low Not required None Partial None
App Sandbox in Apple OS X before 10.10 allows attackers to bypass a sandbox protection mechanism via the accessibility API.
19 CVE-2014-4426 200 +Info 2014-10-17 2014-10-21
4.3
None Remote Medium Not required Partial None None
AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface.
20 CVE-2014-4425 287 2014-10-17 2014-10-21
4.6
None Local Low Not required Partial Partial Partial
CFPreferences in Apple OS X before 10.10 does not properly enforce the "require password after sleep or screen saver begins" setting, which makes it easier for physically proximate attackers to obtain access by leveraging an unattended workstation.
21 CVE-2014-4417 20 DoS 2014-10-17 2014-10-21
5.4
None Remote High Not required None None Complete
Safari in Apple OS X before 10.10 allows remote attackers to cause a denial of service (universal Push Notification outage) via a web site that triggers an uncaught SafariNotificationAgent exception by providing a crafted Push Notification.
22 CVE-2014-4391 310 Exec Code Bypass 2014-10-17 2014-10-21
6.8
None Remote Medium Not required Partial Partial Partial
The Code Signing feature in Apple OS X before 10.10 does not properly handle incomplete resource envelopes in signed bundles, which allows remote attackers to bypass intended app-author restrictions by omitting an execution-related resource.
23 CVE-2014-4351 119 DoS Exec Code Overflow 2014-10-17 2014-10-21
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in QuickTime in Apple OS X before 10.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted audio samples in an m4a file.
24 CVE-2014-1379 DoS +Priv 2014-07-01 2014-07-24
10.0
None Remote Low Not required Complete Complete Complete
Graphics Drivers in Apple OS X before 10.9.4 allows attackers to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via a 32-bit executable file for a crafted application.
25 CVE-2014-1377 Exec Code 2014-07-01 2014-07-24
10.0
None Remote Low Not required Complete Complete Complete
Array index error in IOAcceleratorFamily in Apple OS X before 10.9.4 allows attackers to execute arbitrary code via a crafted application.
26 CVE-2014-1376 264 Exec Code 2014-07-01 2014-07-24
10.0
None Remote Low Not required Complete Complete Complete
Intel Compute in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenCL API call, which allows attackers to execute arbitrary code via a crafted application.
27 CVE-2014-1373 264 Exec Code 2014-07-01 2014-07-24
10.0
None Remote Low Not required Complete Complete Complete
Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenGL API call, which allows attackers to execute arbitrary code via a crafted application.
28 CVE-2014-1372 264 Bypass +Info 2014-07-01 2014-07-24
4.9
None Local Low Not required Complete None None
Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call.
29 CVE-2014-1371 119 DoS Exec Code Overflow 2014-07-01 2014-07-24
7.5
None Remote Low Not required Partial Partial Partial
Array index error in Dock in Apple OS X before 10.9.4 allows attackers to execute arbitrary code or cause a denial of service (incorrect function-pointer dereference and application crash) by leveraging access to a sandboxed application for sending a message.
30 CVE-2014-1370 119 DoS Exec Code Overflow 2014-07-01 2014-07-24
6.8
None Remote Medium Not required Partial Partial Partial
The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive.
31 CVE-2014-1318 20 Exec Code 2014-04-23 2014-04-23
10.0
None Remote Low Not required Complete Complete Complete
The Intel Graphics Driver in Apple OS X through 10.9.2 does not properly validate a certain pointer, which allows attackers to execute arbitrary code via a crafted application.
32 CVE-2014-1314 264 Exec Code Bypass 2014-04-23 2014-04-24
10.0
None Remote Low Not required Complete Complete Complete
WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass the sandbox protection mechanism and execute arbitrary code via a crafted application.
33 CVE-2014-1296 264 Bypass 2014-04-23 2014-04-23
4.3
None Remote Medium Not required Partial None None
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.
34 CVE-2014-1295 287 +Info 2014-04-23 2014-04-23
6.8
None Remote Medium Not required Partial Partial Partial
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
35 CVE-2014-1270 119 DoS Exec Code Overflow Mem. Corr. 2014-02-26 2014-03-16
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1269.
36 CVE-2014-1269 119 DoS Exec Code Overflow Mem. Corr. 2014-02-26 2014-03-16
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1270.
37 CVE-2014-1268 119 DoS Exec Code Overflow Mem. Corr. 2014-02-26 2014-02-27
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1269 and CVE-2014-1270.
38 CVE-2014-1265 264 Bypass 2014-02-26 2014-02-27
4.6
None Local Low Not required Partial Partial Partial
The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock.
39 CVE-2014-1260 119 DoS Exec Code Overflow Mem. Corr. 2014-02-26 2014-03-10
6.8
None Remote Medium Not required Partial Partial Partial
QuickLook in Apple OS X through 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document.
40 CVE-2014-1259 119 DoS Exec Code Overflow 2014-02-26 2014-03-10
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in File Bookmark in Apple OS X before 10.9.2 allows attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted filename.
41 CVE-2014-1258 119 DoS Exec Code Overflow 2014-02-26 2014-02-27
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in CoreAnimation in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted image.
42 CVE-2014-1257 264 Bypass 2014-02-26 2014-02-27
3.6
None Local Low Not required Partial Partial None
CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.
43 CVE-2014-1256 119 Overflow Bypass 2014-02-26 2014-02-27
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages.
44 CVE-2014-1254 119 DoS Exec Code Overflow Mem. Corr. 2014-02-26 2014-02-27
6.8
None Remote Medium Not required Partial Partial Partial
Apple Type Services (ATS) in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Type 1 font that is embedded in a document.
45 CVE-2013-5192 20 DoS 2013-10-23 2013-10-24
4.9
None Local Low Not required None None Complete
The USB hub controller in Apple Mac OS X before 10.9 allows local users to cause a denial of service (system crash) via a request with a crafted (1) port or (2) port number.
46 CVE-2013-5191 264 +Info 2013-10-23 2013-10-24
2.1
None Local Low Not required Partial None None
The syslog implementation in Apple Mac OS X before 10.9 allows local users to obtain sensitive information by leveraging access to the Guest account and reading console-log messages from previous Guest sessions.
47 CVE-2013-5190 264 DoS 2013-10-23 2013-10-24
4.3
None Remote Medium Not required None None Partial
Smart Card Services in Apple Mac OS X before 10.9 does not properly implement certificate-revocation checks, which allows remote attackers to cause a denial of service (Smart Card usage outage) by interfering with the revocation-check procedure.
48 CVE-2013-5189 264 Bypass 2013-10-23 2013-10-24
5.8
None Remote Medium Not required Partial Partial None
Apple Mac OS X before 10.9 does not preserve a certain administrative system-preferences setting across software updates, which allows context-dependent attackers to bypass intended access restrictions in opportunistic circumstances by leveraging an unintended security configuration after the completion of an update.
49 CVE-2013-5188 264 2013-10-23 2013-10-24
4.0
None Local High Not required Complete None None
The Screen Lock implementation in Apple Mac OS X before 10.9, when hibernation and autologin are enabled, does not require a password for a transition out of hibernation, which allows physically proximate attackers to obtain access by visiting an unattended workstation in the hibernating state.
50 CVE-2013-5187 264 +Info 2013-10-23 2013-10-24
1.9
None Local Medium Not required Partial None None
The Screen Lock implementation in Apple Mac OS X before 10.9 does not immediately accept Keychain Status menu Lock Screen commands, and instead incorrectly relies on a certain timeout setting, which allows physically proximate attackers to obtain sensitive information by reading a screen that should have transitioned into the locked state.
Total number of vulnerabilities : 103   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.