Sign-up

ID

VAR-200903-0249


CVE

CVE-2009-0143


TITLE

Apple iTunes Information disclosure vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2009-001497

DESCRIPTION

Apple iTunes before 8.1 does not properly inform the user about the origin of an authentication request, which makes it easier for remote podcast servers to trick a user into providing a username and password when subscribing to a crafted podcast. Apple iTunes is prone to an information-disclosure vulnerability and a denial-of-service vulnerability. Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. Versions prior to Apple iTunes 8.1 are vulnerable. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Apple iTunes Information Disclosure and Denial of Service SECUNIA ADVISORY ID: SA34254 VERIFY ADVISORY: http://secunia.com/advisories/34254/ DESCRIPTION: A vulnerability and a security issue have been reported in Apple iTunes, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially disclose sensitive information. 1) An error in the processing of Digital Audio Access Protocol (DAAP) messages can be exploited to trigger the execution of an infinite loop via a specially crafted "Content-Length" parameter contained in the header of a DAAP message. NOTE: The vulnerability does not affect Mac OS X systems. The vulnerability and security issue are reported in version 8. SOLUTION: Update to version 8.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's FortiGuard Global Security Research Team 2) Simon Bellwood ORIGINAL ADVISORY: http://support.apple.com/kb/HT3487 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-0143 // JVNDB: JVNDB-2009-001497 // BID: 34094 // VULHUB: VHN-37589 // PACKETSTORM: 75695

AFFECTED PRODUCTS

vendor:applemodel:itunesscope:ltversion:8.1

Trust: 1.8

vendor:applemodel:itunesscope:eqversion:7.3.2

Trust: 0.9

vendor:applemodel:itunesscope:eqversion:8.0

Trust: 0.9

vendor:applemodel:itunesscope:eqversion:7.4.1

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.1.1

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.1.0

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.6.2

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.5.0

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.7.1

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.4.0

Trust: 0.6

vendor:applemodel:itunesscope:eqversion:7.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.0.2.20

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.4

Trust: 0.3

vendor:applemodel:itunesscope:neversion:8.1

Trust: 0.3

sources: BID: 34094 // JVNDB: JVNDB-2009-001497 // CNNVD: CNNVD-200903-262 // NVD: CVE-2009-0143

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0143
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0143
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200903-262
value: MEDIUM

Trust: 0.6

VULHUB: VHN-37589
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2009-0143
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-37589
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-37589 // JVNDB: JVNDB-2009-001497 // CNNVD: CNNVD-200903-262 // NVD: CVE-2009-0143

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-37589 // JVNDB: JVNDB-2009-001497 // NVD: CVE-2009-0143

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200903-262

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-200903-262

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001497

PATCH
title:APPLE-SA-2009-03-11 iTunes 8.1url:http://lists.apple.com/archives/security-announce//2009/Mar/msg00001.html
Trust: 0.8
title:HT3487url:http://support.apple.com/kb/HT3487
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001497

EXTERNAL IDS
db:NVDid:CVE-2009-0143
Trust: 2.8
db:BIDid:34094
Trust: 2.0
db:SECUNIAid:34254
Trust: 1.8
db:SECTRACKid:1021843
Trust: 1.7
db:VUPENid:ADV-2009-0702
Trust: 1.7
db:OSVDBid:52579
Trust: 1.7
db:JVNDBid:JVNDB-2009-001497
Trust: 0.8
db:XFid:49201
Trust: 0.6
db:CNNVDid:CNNVD-200903-262
Trust: 0.6
db:VULHUBid:VHN-37589
Trust: 0.1
db:PACKETSTORMid:75695
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37589 // 
            
            
            
            BID: 34094 // 
            
            
            
            JVNDB: JVNDB-2009-001497 // 
            
            
            
            PACKETSTORM: 75695 // 
            
            
            
            CNNVD: CNNVD-200903-262 // 
            
            
            
            NVD: CVE-2009-0143

REFERENCES
url:http://support.apple.com/kb/ht3487
Trust: 2.1
url:http://lists.apple.com/archives/security-announce//2009/mar/msg00001.html
Trust: 1.7
url:http://www.securityfocus.com/bid/34094
Trust: 1.7
url:http://osvdb.org/52579
Trust: 1.7
url:http://securitytracker.com/id?1021843
Trust: 1.7
url:http://secunia.com/advisories/34254
Trust: 1.7
url:http://www.vupen.com/english/advisories/2009/0702
Trust: 1.7
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a5336
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/49201
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0143
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0143
Trust: 0.8
url:/archive/1/501758
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/49201
Trust: 0.6
url:http://www.fortiguardcenter.com/advisory/fga-2009-11.html
Trust: 0.3
url:http://www.apple.com/itunes/
Trust: 0.3
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/34254/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/advisories/try_vi/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37589 // 
            
            
            
            BID: 34094 // 
            
            
            
            JVNDB: JVNDB-2009-001497 // 
            
            
            
            PACKETSTORM: 75695 // 
            
            
            
            CNNVD: CNNVD-200903-262 // 
            
            
            
            NVD: CVE-2009-0143

CREDITS
Xiaopeng Zhang
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200903-262

SOURCES
db:VULHUBid:VHN-37589
db:BIDid:34094
db:JVNDBid:JVNDB-2009-001497
db:PACKETSTORMid:75695
db:CNNVDid:CNNVD-200903-262
db:NVDid:CVE-2009-0143

LAST UPDATE DATE
2025-04-10T23:22:15.956000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-37589date:2018-11-08T00:00:00
db:BIDid:34094date:2009-03-13T14:46:00
db:JVNDBid:JVNDB-2009-001497date:2009-06-30T00:00:00
db:CNNVDid:CNNVD-200903-262date:2009-03-21T00:00:00
db:NVDid:CVE-2009-0143date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-37589date:2009-03-14T00:00:00
db:BIDid:34094date:2009-03-11T00:00:00
db:JVNDBid:JVNDB-2009-001497date:2009-06-30T00:00:00
db:PACKETSTORMid:75695date:2009-03-12T06:51:47
db:CNNVDid:CNNVD-200903-262date:2009-03-14T00:00:00
db:NVDid:CVE-2009-0143date:2009-03-14T18:30:00.437