Sign-up

ID

VAR-201501-0264


CVE

CVE-2014-8827


TITLE

Apple OS X of LoginWindow Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-001303

DESCRIPTION

LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. LoginWindow is one of the login window components. The vulnerability is caused by not locking the screen immediately when the program transitions from sleep mode to work mode

Trust: 1.98

sources: NVD: CVE-2014-8827 // JVNDB: JVNDB-2015-001303 // BID: 72328 // VULHUB: VHN-76772

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.8.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001303 // CNNVD: CNNVD-201501-728 // NVD: CVE-2014-8827

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8827
value: LOW

Trust: 1.0

NVD: CVE-2014-8827
value: LOW

Trust: 0.8

CNNVD: CNNVD-201501-728
value: LOW

Trust: 0.6

VULHUB: VHN-76772
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-8827
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76772
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76772 // JVNDB: JVNDB-2015-001303 // CNNVD: CNNVD-201501-728 // NVD: CVE-2014-8827

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-76772 // JVNDB: JVNDB-2015-001303 // NVD: CVE-2014-8827

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-728

TYPE

Unknown

Trust: 0.3

sources: BID: 72328

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001303

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001303

EXTERNAL IDS
db:NVDid:CVE-2014-8827
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001303
Trust: 0.8
db:CNNVDid:CNNVD-201501-728
Trust: 0.7
db:VULHUBid:VHN-76772
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76772 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001303 // 
            
            
            
            CNNVD: CNNVD-201501-728 // 
            
            
            
            NVD: CVE-2014-8827

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100521
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8827
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8827
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76772 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001303 // 
            
            
            
            CNNVD: CNNVD-201501-728 // 
            
            
            
            NVD: CVE-2014-8827

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-728

SOURCES
db:VULHUBid:VHN-76772
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001303
db:CNNVDid:CNNVD-201501-728
db:NVDid:CVE-2014-8827

LAST UPDATE DATE
2025-04-13T21:58:24.923000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76772date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001303date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-728date:2019-04-15T00:00:00
db:NVDid:CVE-2014-8827date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76772date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001303date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-728date:2015-01-30T00:00:00
db:NVDid:CVE-2014-8827date:2015-01-30T11:59:37.187