Sign-up

ID

VAR-200712-0445


CVE

CVE-2007-5862


TITLE

Apple Mac OS X Keychain Security Bypass Vulnerability

Trust: 0.9

sources: BID: 26877 // CNNVD: CNNVD-200712-212

DESCRIPTION

Java in Mac OS X 10.4 through 10.4.11 allows remote attackers to bypass Keychain access controls and add or delete arbitrary Keychain items via a crafted Java applet. Apple Mac OS X Keychain is prone to a security-bypass vulnerability because it fails to properly validate user credentials before performing certain actions. This issue may stem from a security issue in Java. A successful attack allows unauthorized users to modify other users' accounts, which may aid in further attacks. This issue affects Mac OS X 10.4.10 and Mac OS X Server 10.4.10. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Mac OS X Java Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28115 VERIFY ADVISORY: http://secunia.com/advisories/28115/ CRITICAL: Highly critical IMPACT: Security Bypass, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Some vulnerabilities have been reported and acknowledged in Mac OS X, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or to compromise a user's system. 2) Some vulnerabilities in Java 1.4 and J2SE 5.0 can be exploited to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or to compromise a user's system. Java for Mac OS X 10.4, Release 6: http://www.apple.com/support/downloads/javaformacosx104release6.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Bruno Harbulot, University of Manchester. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307177 OTHER REFERENCES: SA21709: http://secunia.com/advisories/21709/ SA23398: http://secunia.com/advisories/23398/ SA23445: http://secunia.com/advisories/23445/ SA23757: http://secunia.com/advisories/23757/ SA25069: http://secunia.com/advisories/25069/ SA25295: http://secunia.com/advisories/25295/ SA25769: http://secunia.com/advisories/25769/ SA25823: http://secunia.com/advisories/25823/ SA25981: http://secunia.com/advisories/25981/ SA26015: http://secunia.com/advisories/26015/ SA26402: http://secunia.com/advisories/26402/ SA27009: http://secunia.com/advisories/27009/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-5862 // JVNDB: JVNDB-2007-001038 // BID: 26877 // VULHUB: VHN-29224 // PACKETSTORM: 61851

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.4.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.9

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.10

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.6

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.11

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.8

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.7

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.3

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.4.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.4.10

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.4.10

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.10

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.5

Trust: 0.3

sources: BID: 26877 // JVNDB: JVNDB-2007-001038 // CNNVD: CNNVD-200712-212 // NVD: CVE-2007-5862

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-5862
value: HIGH

Trust: 1.0

NVD: CVE-2007-5862
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200712-212
value: CRITICAL

Trust: 0.6

VULHUB: VHN-29224
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-5862
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-29224
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-29224 // JVNDB: JVNDB-2007-001038 // CNNVD: CNNVD-200712-212 // NVD: CVE-2007-5862

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-29224 // JVNDB: JVNDB-2007-001038 // NVD: CVE-2007-5862

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200712-212

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-200712-212

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-001038

PATCH
title:Java for Mac OS X 10.4 Release 6url:http://docs.info.apple.com/article.html?artnum=307177-en
Trust: 0.8
title:Java for Mac OS X 10.4 Release 6url:http://docs.info.apple.com/article.html?artnum=307177-ja
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-001038

EXTERNAL IDS
db:NVDid:CVE-2007-5862
Trust: 2.8
db:BIDid:26877
Trust: 2.8
db:SECUNIAid:28115
Trust: 2.6
db:VUPENid:ADV-2007-4224
Trust: 1.7
db:JVNDBid:JVNDB-2007-001038
Trust: 0.8
db:APPLEid:APPLE-SA-2007-12-14
Trust: 0.6
db:CNNVDid:CNNVD-200712-212
Trust: 0.6
db:VULHUBid:VHN-29224
Trust: 0.1
db:PACKETSTORMid:61851
Trust: 0.1
sources:
            
            
            VULHUB: VHN-29224 // 
            
            
            
            BID: 26877 // 
            
            
            
            JVNDB: JVNDB-2007-001038 // 
            
            
            
            PACKETSTORM: 61851 // 
            
            
            
            CNNVD: CNNVD-200712-212 // 
            
            
            
            NVD: CVE-2007-5862

REFERENCES
url:http://www.securityfocus.com/bid/26877
Trust: 2.5
url:http://secunia.com/advisories/28115
Trust: 2.5
url:http://docs.info.apple.com/article.html?artnum=307177
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2007/dec/msg00001.html
Trust: 1.7
url:http://www.frsirt.com/english/advisories/2007/4224
Trust: 1.4
url:http://www.vupen.com/english/advisories/2007/4224
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5862
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-5862
Trust: 0.8
url:http://seclists.org/oss-sec/2016/q1/16
Trust: 0.3
url:http://software.cisco.com/download/navigator.html?mdfid=283613663
Trust: 0.3
url:http://secunia.com/advisories/23398/
Trust: 0.1
url:http://secunia.com/advisories/25823/
Trust: 0.1
url:http://secunia.com/advisories/28115/
Trust: 0.1
url:http://secunia.com/advisories/25295/
Trust: 0.1
url:http://secunia.com/advisories/25069/
Trust: 0.1
url:http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://www.apple.com/support/downloads/javaformacosx104release6.html
Trust: 0.1
url:http://secunia.com/advisories/27009/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/advisories/21709/
Trust: 0.1
url:http://secunia.com/advisories/23757/
Trust: 0.1
url:http://secunia.com/advisories/26402/
Trust: 0.1
url:http://secunia.com/advisories/26015/
Trust: 0.1
url:http://secunia.com/advisories/23445/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/25769/
Trust: 0.1
url:http://secunia.com/product/96/
Trust: 0.1
url:http://secunia.com/advisories/25981/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-29224 // 
            
            
            
            BID: 26877 // 
            
            
            
            JVNDB: JVNDB-2007-001038 // 
            
            
            
            PACKETSTORM: 61851 // 
            
            
            
            CNNVD: CNNVD-200712-212 // 
            
            
            
            NVD: CVE-2007-5862

CREDITS
Bruno Harbulot of the University of Manchester is credited with discovering this issue.
Trust: 0.9
sources:
            
            
            BID: 26877 // 
            
            
            
            CNNVD: CNNVD-200712-212

SOURCES
db:VULHUBid:VHN-29224
db:BIDid:26877
db:JVNDBid:JVNDB-2007-001038
db:PACKETSTORMid:61851
db:CNNVDid:CNNVD-200712-212
db:NVDid:CVE-2007-5862

LAST UPDATE DATE
2025-04-10T19:57:42.808000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-29224date:2011-03-08T00:00:00
db:BIDid:26877date:2007-12-17T22:01:00
db:JVNDBid:JVNDB-2007-001038date:2007-12-28T00:00:00
db:CNNVDid:CNNVD-200712-212date:2007-12-18T00:00:00
db:NVDid:CVE-2007-5862date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-29224date:2007-12-18T00:00:00
db:BIDid:26877date:2007-12-14T00:00:00
db:JVNDBid:JVNDB-2007-001038date:2007-12-28T00:00:00
db:PACKETSTORMid:61851date:2007-12-18T00:56:59
db:CNNVDid:CNNVD-200712-212date:2007-12-18T00:00:00
db:NVDid:CVE-2007-5862date:2007-12-18T20:46:00