CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple : Security Vulnerabilities Published In 2014 (Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-8453 264 Bypass 2014-12-10 2014-12-11
5.0
None Remote Low Not required None Partial None
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors.
2 CVE-2014-4465 20 Bypass 2014-12-10 2014-12-11
5.0
None Remote Low Not required None Partial None
WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1 allows remote attackers to bypass the Same Origin Policy via crafted Cascading Style Sheets (CSS) token sequences within an SVG file in the SRC attribute of an IMG element.
3 CVE-2014-4463 264 Bypass 2014-11-18 2014-11-18
2.1
None Local Low Not required Partial None None
Apple iOS before 8.1.1 allows physically proximate attackers to bypass the lock-screen protection mechanism, and view or transmit a Photo Library photo, via the FaceTime "Leave a Message" feature.
4 CVE-2014-4457 264 Bypass 2014-11-18 2014-11-18
7.5
None Remote Low Not required Partial Partial Partial
The Sandbox Profiles subsystem in Apple iOS before 8.1.1 does not properly implement the debugserver sandbox, which allows attackers to bypass intended binary-execution restrictions via a crafted application that is run during a time period when debugging is not enabled.
5 CVE-2014-4455 264 Bypass 2014-11-18 2014-11-18
2.1
None Local Low Not required None Partial None
dyld in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly handle overlapping segments in Mach-O executable files, which allows local users to bypass intended code-signing restrictions via a crafted file.
6 CVE-2014-4451 264 Bypass 2014-11-18 2014-11-18
7.2
None Local Low Not required Complete Complete Complete
Apple iOS before 8.1.1 does not properly enforce the failed-passcode limit, which makes it easier for physically proximate attackers to bypass the lock-screen protection mechanism via a series of guesses.
7 CVE-2014-4446 264 Bypass 2014-10-17 2014-10-28
2.1
None Remote High Single system Partial None None
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a change made by an administrator.
8 CVE-2014-4437 264 Bypass 2014-10-17 2014-10-31
6.8
None Remote Medium Not required Partial Partial Partial
LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object.
9 CVE-2014-4427 264 Bypass 2014-10-17 2014-10-31
7.5
None Remote Low Not required Partial Partial Partial
App Sandbox in Apple OS X before 10.10 allows attackers to bypass a sandbox protection mechanism via the accessibility API.
10 CVE-2014-4423 264 Bypass 2014-09-18 2014-09-18
4.3
None Remote Medium Not required Partial None None
The Accounts subsystem in Apple iOS before 8 allows attackers to bypass a sandbox protection mechanism and obtain an active iCloud account's Apple ID and metadata via a crafted application.
11 CVE-2014-4422 310 Bypass 2014-09-18 2014-10-24
6.8
None Remote Medium Not required Partial Partial Partial
The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers.
12 CVE-2014-4403 200 Bypass +Info 2014-09-19 2014-09-19
2.1
None Local Low Not required Partial None None
The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.
13 CVE-2014-4391 310 Exec Code Bypass 2014-10-17 2014-10-31
6.8
None Remote Medium Not required Partial Partial Partial
The Code Signing feature in Apple OS X before 10.10 does not properly handle incomplete resource envelopes in signed bundles, which allows remote attackers to bypass intended app-author restrictions by omitting an execution-related resource.
14 CVE-2014-4379 119 Overflow Bypass 2014-09-18 2014-09-23
7.1
None Remote Medium Not required Complete None None
An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking to prevent reading of kernel pointers, which allows attackers to bypass the ASLR protection mechanism via a crafted application.
15 CVE-2014-4354 264 Bypass 2014-09-18 2014-09-18
5.8
None Local Network Low Not required Partial Partial Partial
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.
16 CVE-2014-2234 20 Bypass 2014-03-05 2014-03-05
6.4
None Remote Low Not required Partial Partial None
A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier uses a Trust Evaluation Agent (TEA) feature without terminating certain TLS/SSL handshakes as specified in the SSL_CTX_set_verify callback function's documentation, which allows remote attackers to bypass extra verification within a custom application via a crafted certificate chain that is acceptable to TEA but not acceptable to that application.
17 CVE-2014-2019 264 Bypass 2014-02-18 2014-03-16
4.9
None Local Low Not required None Complete None
The iCloud subsystem in Apple iOS before 7.1 allows physically proximate attackers to bypass an intended password requirement, and turn off the Find My iPhone service or complete a Delete Account action and then associate this service with a different Apple ID account, by entering an arbitrary iCloud Account Password value and a blank iCloud Account Description value.
18 CVE-2014-1383 264 Bypass 2014-07-01 2014-07-24
5.5
None Remote Low Single system Partial Partial None
Apple TV before 6.1.2 allows remote authenticated users to bypass an intended password requirement for iTunes Store purchase transactions via unspecified vectors.
19 CVE-2014-1380 264 Bypass 2014-07-01 2014-07-24
2.6
None Local High Not required Partial Partial None
The Security - Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke observers, which allows physically proximate attackers to bypass the screen-lock protection mechanism, and enter characters into an arbitrary window under the lock window, via keyboard input.
20 CVE-2014-1378 264 Bypass 2014-07-01 2014-07-24
2.1
None Local Low Not required Partial None None
IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.
21 CVE-2014-1375 264 Bypass 2014-07-01 2014-07-24
2.1
None Local Low Not required Partial None None
Intel Graphics Driver in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.
22 CVE-2014-1372 264 Bypass +Info 2014-07-01 2014-12-02
4.9
None Local Low Not required Complete None None
Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call.
23 CVE-2014-1360 20 Bypass 2014-07-01 2014-09-19
2.1
None Local Low Not required None Partial None
Lockdown in Apple iOS before 7.1.2 does not properly verify data from activation servers, which makes it easier for physically proximate attackers to bypass the Activation Lock protection mechanism via unspecified vectors.
24 CVE-2014-1353 264 Bypass 2014-07-01 2014-07-24
3.6
None Local Low Not required Partial Partial None
Lock Screen in Apple iOS before 7.1.2 does not properly manage the telephony state in Airplane Mode, which allows physically proximate attackers to bypass the lock protection mechanism, and access a certain foreground application, via unspecified vectors.
25 CVE-2014-1351 264 Bypass 2014-07-01 2014-07-24
3.6
None Local Low Not required Partial Partial None
Siri in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended lock-screen passcode requirement, and read a contact list, via a Siri request that refers to a contact ambiguously.
26 CVE-2014-1350 264 Bypass 2014-07-01 2014-07-24
4.6
None Local Low Not required Partial Partial Partial
Settings in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended iCloud password requirement, and turn off the Find My iPhone service, by leveraging incorrect state management.
27 CVE-2014-1346 20 Bypass 2014-05-22 2014-07-24
5.0
None Remote Low Not required None Partial None
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, does not properly interpret Unicode encoding, which allows remote attackers to spoof a postMessage origin, and bypass intended restrictions on sending a message to a connected frame or window, via crafted characters in a URL.
28 CVE-2014-1322 200 Bypass +Info 2014-04-23 2014-04-24
4.9
None Local Low Not required Complete None None
The kernel in Apple OS X through 10.9.2 places a kernel pointer into an XNU object data structure accessible from user space, which makes it easier for local users to bypass the ASLR protection mechanism by reading an unspecified attribute of the object.
29 CVE-2014-1321 264 Bypass 2014-04-23 2014-04-24
3.3
None Local Medium Not required Partial Partial None
Power Management in Apple OS X 10.9.x through 10.9.2 allows physically proximate attackers to bypass an intended transition into the locked-screen state by touching (1) a key or (2) the trackpad during a lid-close action.
30 CVE-2014-1320 200 Bypass +Info 2014-04-23 2014-04-24
4.9
None Local Low Not required Complete None None
IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 places kernel pointers into an object data structure, which makes it easier for local users to bypass the ASLR protection mechanism by reading unspecified attributes of the object.
31 CVE-2014-1314 264 Exec Code Bypass 2014-04-23 2014-04-24
10.0
None Remote Low Not required Complete Complete Complete
WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass the sandbox protection mechanism and execute arbitrary code via a crafted application.
32 CVE-2014-1303 119 Exec Code Overflow Bypass 2014-03-26 2014-04-24
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Liang Chen during a Pwn2Own competition at CanSecWest 2014.
33 CVE-2014-1297 20 Bypass 2014-04-02 2014-04-02
5.0
None Remote Low Not required Partial None None
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, does not properly validate WebProcess IPC messages, which allows remote attackers to bypass a sandbox protection mechanism and read arbitrary files by leveraging WebProcess access.
34 CVE-2014-1296 264 Bypass 2014-04-23 2014-04-23
4.3
None Remote Medium Not required Partial None None
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.
35 CVE-2014-1285 264 Bypass 2014-03-14 2014-03-14
5.8
None Remote Medium Not required Partial Partial None
Springboard in Apple iOS before 7.1 allows physically proximate attackers to bypass intended access restrictions and read the home screen by leveraging an application crash during activation of an unactivated device.
36 CVE-2014-1282 264 Bypass 2014-03-14 2014-03-14
5.8
None Remote Medium Not required Partial Partial None
The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass intended configuration-profile visibility requirements via a long name.
37 CVE-2014-1273 20 Bypass 2014-03-14 2014-03-14
5.8
None Remote Medium Not required Partial Partial None
dyld in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass code-signing requirements by leveraging use of text-relocation instructions in a dynamic library.
38 CVE-2014-1267 20 Bypass 2014-03-14 2014-03-14
5.8
None Remote Medium Not required Partial Partial None
The Configuration Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 does not properly evaluate the expiration date of a mobile configuration profile, which allows attackers to bypass intended access restrictions by using a profile after the date has passed.
39 CVE-2014-1265 264 Bypass 2014-02-26 2014-02-27
4.6
None Local Low Not required Partial Partial Partial
The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock.
40 CVE-2014-1264 264 Bypass 2014-02-26 2014-03-10
3.3
None Local Medium Not required Partial Partial None
Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after the viewing of file ACL information, which allows local users to bypass intended access restrictions in opportunistic circumstances via standard filesystem operations on a file with a damaged ACL.
41 CVE-2014-1262 119 Overflow Mem. Corr. Bypass 2014-02-26 2014-02-27
7.5
None Remote Low Not required Partial Partial Partial
Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages that trigger memory corruption.
42 CVE-2014-1257 264 Bypass 2014-02-26 2014-02-27
3.6
None Local Low Not required Partial Partial None
CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.
43 CVE-2014-1256 119 Overflow Bypass 2014-02-26 2014-02-27
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages.
44 CVE-2014-1255 20 Bypass 2014-02-26 2014-02-27
7.5
None Remote Low Not required Partial Partial Partial
Apple Type Services (ATS) in Apple OS X before 10.9.2 does not properly validate calls to the free function, which allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages.
Total number of vulnerabilities : 44   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.