Details of VAR-201403-0261

ID

VAR-201403-0261

CVE

CVE-2014-1281

TITLE

Apple iOS Vulnerabilities in capturing important image data in photo backend

Trust: 0.8

sources: JVNDB: JVNDB-2014-001669

DESCRIPTION

Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the Photos app and looking under a transparent image. Apple iOS is prone to multiple vulnerabilities. Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect Apple iOS versions prior to 7.1. Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation. The vulnerability is due to the program deleting images from the library and not deleting the cached version of the image. An attacker could exploit this vulnerability to obtain sensitive photo data

Trust: 1.98

sources: NVD: CVE-2014-1281 // JVNDB: JVNDB-2014-001669 // BID: 66087 // VULHUB: VHN-69220

AFFECTED PRODUCTS

vendor:	apple	model:	iphone os	scope:	eq	version:	7.0	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	eq	version:	7.0.5	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	eq	version:	7.0.4	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	eq	version:	7.0.1	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	eq	version:	7.0.2	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	eq	version:	7.0.3	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	lte	version:	7.0.6	Trust: 1.0
vendor:	apple	model:	ios	scope:	lt	version:	7.1 (ipad 2 or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	7.1 (iphone 4 or later )	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	7.1 (ipod touch no. 5 after generation )	Trust: 0.8
vendor:	apple	model:	iphone os	scope:	eq	version:	7.0.6	Trust: 0.6
vendor:	apple	model:	ipod touch	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	4.0	Trust: 0.3
vendor:	apple	model:	ipad	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.9	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.8	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.10	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.0	Trust: 0.3

sources: BID: 66087 // JVNDB: JVNDB-2014-001669 // CNNVD: CNNVD-201403-264 // NVD: CVE-2014-1281

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1281
value:	LOW
Trust: 1.0
NVD:	CVE-2014-1281
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201403-264
value:	LOW
Trust: 0.6
VULHUB:	VHN-69220
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2014-1281
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-69220
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-69220 // JVNDB: JVNDB-2014-001669 // CNNVD: CNNVD-201403-264 // NVD: CVE-2014-1281

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-69220 // JVNDB: JVNDB-2014-001669 // NVD: CVE-2014-1281

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201403-264

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201403-264

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001669

PATCH

title:	HT6162	url:	http://support.apple.com/kb/HT6162	Trust: 0.8
title:	HT6162	url:	http://support.apple.com/kb/HT6162?viewlocale=ja_JP	Trust: 0.8
title:	AppleTV3,1_6.1_11D169b_Restore	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=48637	Trust: 0.6
title:	AppleTV2,1_6.1_11D169b_Restore	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=48636	Trust: 0.6
title:	iPhone6,2_7.1_11D167_Restore	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=48635	Trust: 0.6

sources: JVNDB: JVNDB-2014-001669 // CNNVD: CNNVD-201403-264

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1281	Trust: 2.8
db:	JVN	id:	JVNVU94229445	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001669	Trust: 0.8
db:	CNNVD	id:	CNNVD-201403-264	Trust: 0.7
db:	BID	id:	66087	Trust: 0.3
db:	VULHUB	id:	VHN-69220	Trust: 0.1

sources: VULHUB: VHN-69220 // BID: 66087 // JVNDB: JVNDB-2014-001669 // CNNVD: CNNVD-201403-264 // NVD: CVE-2014-1281

REFERENCES

url:	http://support.apple.com/kb/ht6162	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1281	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu94229445/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1281	Trust: 0.8
url:	http://www.apple.com/ios/	Trust: 0.3

sources: VULHUB: VHN-69220 // BID: 66087 // JVNDB: JVNDB-2014-001669 // CNNVD: CNNVD-201403-264 // NVD: CVE-2014-1281

CREDITS

Apple, evad3rs, Guillaume Ross, Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye, Stefan Esser, Walter Hoelblinger of Hoelblinger.com, Morgan Adams, Tom Pennington, Roboboi99 and Bogdan Alecu of M-sec.net

Trust: 0.3

sources: BID: 66087

SOURCES

db:	VULHUB	id:	VHN-69220
db:	BID	id:	66087
db:	JVNDB	id:	JVNDB-2014-001669
db:	CNNVD	id:	CNNVD-201403-264
db:	NVD	id:	CVE-2014-1281

LAST UPDATE DATE

2025-04-13T21:58:24.853000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-69220	date:	2014-03-14T00:00:00
db:	BID	id:	66087	date:	2014-03-12T00:33:00
db:	JVNDB	id:	JVNDB-2014-001669	date:	2014-03-17T00:00:00
db:	CNNVD	id:	CNNVD-201403-264	date:	2014-04-29T00:00:00
db:	NVD	id:	CVE-2014-1281	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-69220	date:	2014-03-14T00:00:00
db:	BID	id:	66087	date:	2014-03-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-001669	date:	2014-03-17T00:00:00
db:	CNNVD	id:	CNNVD-201403-264	date:	2014-03-14T00:00:00
db:	NVD	id:	CVE-2014-1281	date:	2014-03-14T10:55:06.113