Sign-up

ID

VAR-201501-0265


CVE

CVE-2014-8828


TITLE

Apple OS X In the sandbox sandbox-profile Vulnerability written to cache

Trust: 0.8

sources: JVNDB: JVNDB-2015-001304

DESCRIPTION

Sandbox in Apple OS X before 10.10 allows attackers to write to the sandbox-profile cache via a sandboxed app that includes a com.apple.sandbox segment in a path. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. Sandbox is a sandbox system that provides the operating system with a method to limit the use of system resources by applications. An attacker could exploit this vulnerability with a specially crafted application to write to the sandbox-profile cache

Trust: 1.98

sources: NVD: CVE-2014-8828 // JVNDB: JVNDB-2015-001304 // BID: 72328 // VULHUB: VHN-76773

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.9.5

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.8.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001304 // CNNVD: CNNVD-201501-744 // NVD: CVE-2014-8828

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8828
value: HIGH

Trust: 1.0

NVD: CVE-2014-8828
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201501-744
value: HIGH

Trust: 0.6

VULHUB: VHN-76773
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8828
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76773
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76773 // JVNDB: JVNDB-2015-001304 // CNNVD: CNNVD-201501-744 // NVD: CVE-2014-8828

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-76773 // JVNDB: JVNDB-2015-001304 // NVD: CVE-2014-8828

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-744

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201501-744

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001304

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001304

EXTERNAL IDS
db:NVDid:CVE-2014-8828
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001304
Trust: 0.8
db:CNNVDid:CNNVD-201501-744
Trust: 0.7
db:VULHUBid:VHN-76773
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76773 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001304 // 
            
            
            
            CNNVD: CNNVD-201501-744 // 
            
            
            
            NVD: CVE-2014-8828

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100522
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8828
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8828
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76773 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001304 // 
            
            
            
            CNNVD: CNNVD-201501-744 // 
            
            
            
            NVD: CVE-2014-8828

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-744

SOURCES
db:VULHUBid:VHN-76773
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001304
db:CNNVDid:CNNVD-201501-744
db:NVDid:CVE-2014-8828

LAST UPDATE DATE
2025-04-13T20:41:03.747000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76773date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001304date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-744date:2019-04-19T00:00:00
db:NVDid:CVE-2014-8828date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76773date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001304date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-744date:2015-01-27T00:00:00
db:NVDid:CVE-2014-8828date:2015-01-30T11:59:38.077