CVE-2016-4698 : AppleMobileFileIntegrity in Apple iOS before 10 and OS X before 10.12 mishandles

AppleMobileFileIntegrity in Apple iOS before 10 and OS X before 10.12 mishandles process entitlement and Team ID values in the task port inheritance policy, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

Published 2016-09-25 10:59:07

Updated 2025-04-12 10:46:41

Source Apple Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2016-4698

Apple » Mac Os X
Versions up to, including, (<=) 10.11.6
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions up to, including, (<=) 9.3.5
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-4698

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-4698

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-4698

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4698

https://support.apple.com/HT207143

About the security content of iOS 10 - Apple Support
Vendor Advisory

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1036858

Apple macOS/OS X Multiple Flaws Let Remote and Local Users Deny Service, Obtain Potentially Sensitive Information, Execute Arbitrary Code, and Gain Elevated Privileges - SecurityTracker

CVEs referencing this url
http://www.securityfocus.com/bid/93056

Apple iOS and Mac OS Multiple Security Vulnerabilities

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url
https://support.apple.com/HT207170

About the security content of macOS Sierra 10.12 - Apple Support
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-4698

Products affected by CVE-2016-4698

Exploit prediction scoring system (EPSS) score for CVE-2016-4698

CVSS scores for CVE-2016-4698

CWE ids for CVE-2016-4698

References for CVE-2016-4698