Vulnerability Details : CVE-2017-2391
An issue was discovered in certain Apple products. Pages before 6.1, Numbers before 4.1, and Keynote before 7.1 on macOS and Pages before 3.1, Numbers before 3.1, and Keynote before 3.1 on iOS are affected. The issue involves the "Export" component. It allows users to bypass iWork PDF password protection by leveraging use of 40-bit RC4.
Exploit prediction scoring system (EPSS) score for CVE-2017-2391
Probability of exploitation activity in the next 30 days: 0.24%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-2391
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2017-2391
-
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-2391
-
http://www.securityfocus.com/bid/97126
Apple iOS/Mac CVE-2017-2391 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://support.apple.com/HT207595
About the security content of Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS - Apple SupportVendor Advisory
-
http://www.securitytracker.com/id/1038136
Apple Keynote RC4 Encryption Lets Users Obtain Potentially Sensitive Information from Password Protected Exported PDFs - SecurityTracker
-
http://www.securitytracker.com/id/1038134
Apple Numbers RC4 Encryption Lets Users Obtain Potentially Sensitive Information from Password Protected Exported PDFs - SecurityTracker
-
http://www.securitytracker.com/id/1038135
Apple Pages RC4 Encryption Lets Users Obtain Potentially Sensitive Information from Password Protected Exported PDFs - SecurityTracker
Products affected by CVE-2017-2391
- cpe:2.3:a:apple:keynote:*:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:apple:keynote:*:*:*:*:*:mac_os_x:*:*
- cpe:2.3:a:apple:pages:*:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:apple:pages:*:*:*:*:*:mac_os_x:*:*
- cpe:2.3:a:apple:numbers:*:*:*:*:*:mac_os_x:*:*
- cpe:2.3:a:apple:numbers:*:*:*:*:*:iphone_os:*:*