CVE-2013-3955 : The get_xattrinfo function in the XNU kernel in Apple iOS 5.x and 6.x through 6.

The get_xattrinfo function in the XNU kernel in Apple iOS 5.x and 6.x through 6.1.3 on iPad devices does not properly validate the header of an AppleDouble file, which might allow local users to cause a denial of service (memory corruption) or have unspecified other impact via an invalid file on an msdosfs filesystem.

Published 2013-06-05 14:39:58

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2013-3955

Apple » Iphone Os » Version: 6.0.1
cpe:2.3:o:apple:iphone_os:6.0.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 6.0.2
cpe:2.3:o:apple:iphone_os:6.0.2:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 5.0.1
cpe:2.3:o:apple:iphone_os:5.0.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 5.1
cpe:2.3:o:apple:iphone_os:5.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 6.1.3
cpe:2.3:o:apple:iphone_os:6.1.3:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 5.1.1
cpe:2.3:o:apple:iphone_os:5.1.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 6.0
cpe:2.3:o:apple:iphone_os:6.0:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 5.0
cpe:2.3:o:apple:iphone_os:5.0:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 6.1
cpe:2.3:o:apple:iphone_os:6.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 6.1.2
cpe:2.3:o:apple:iphone_os:6.1.2:*:*:*:*:*:*:*
Matching versions
Apple » Ipad
cpe:2.3:h:apple:ipad:*:*:*:*:*:*:*:*
Matching versions
Apple » Ipad2 » Version: N/A
cpe:2.3:h:apple:ipad2:-:*:*:*:*:*:*:*
Matching versions
Apple » Ipad Mini » Version: N/A
cpe:2.3:h:apple:ipad_mini:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-3955

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-3955

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.2	MEDIUM	AV:L/AC:H/Au:N/C:C/I:C/A:C	1.9	10.0	NIST
Access Vector: Local Access Complexity: High Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-3955

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-3955

http://www.syscan.org/index.php/sg/program/day/2

CVEs referencing this url
http://www.securitytracker.com/id/1029054

Apple iOS Multiple Bugs Let Remote Users Execute Arbitrary Code, Deny Service, Obtain Information, and Conduct Cross-Site Scripting Attacks and Let Applications Gain Elevated Privileges - SecurityTrac

CVEs referencing this url
http://support.apple.com/kb/HT5934

About the security content of iOS 7 - Apple Support

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2013/Sep/msg00006.html

Apple - Lists.apple.com

CVEs referencing this url
http://antid0te.com/syscan_2013/SyScan2013_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale_Whitepaper.pdf

404 - Not Found
Exploit

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2013-3955

Products affected by CVE-2013-3955

Exploit prediction scoring system (EPSS) score for CVE-2013-3955

CVSS scores for CVE-2013-3955

CWE ids for CVE-2013-3955

References for CVE-2013-3955