CVE-2016-1742 : Untrusted search path vulnerability in the installer in Apple iTunes before 12.4

Untrusted search path vulnerability in the installer in Apple iTunes before 12.4 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

Published 2016-05-20 10:59:01

Updated 2025-04-12 10:46:41

Source Apple Inc.

View at NVD, CVE.org

Products affected by CVE-2016-1742

Apple » Itunes
Versions up to, including, (<=) 12.3.1
cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-1742

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 14 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-1742

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-1742

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-1742

http://lists.apple.com/archives/security-announce/2016/May/msg00006.html

Apple - Lists.apple.com
Vendor Advisory
http://www.securitytracker.com/id/1035887

Apple iTunes Lets Local Users Gain Elevated Privileges - SecurityTracker
https://support.apple.com/HT206379

About the security content of iTunes 12.4 - Apple Support
Vendor Advisory

Jump to

Vulnerability Details : CVE-2016-1742

Products affected by CVE-2016-1742

Exploit prediction scoring system (EPSS) score for CVE-2016-1742

CVSS scores for CVE-2016-1742

CWE ids for CVE-2016-1742

References for CVE-2016-1742