Details of VAR-201501-0266

ID

VAR-201501-0266

CVE

CVE-2014-8829

TITLE

Apple OS X of SceneKit Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2015-001305

DESCRIPTION

SceneKit in Apple OS X before 10.10.2 allows attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted app. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. SceneKit is one of the 3D rendering frameworks

Trust: 1.98

sources: NVD: CVE-2014-8829 // JVNDB: JVNDB-2015-001305 // BID: 72328 // VULHUB: VHN-76774

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.10.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.5	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.9.5	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10.1	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.9.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.8.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.10.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.10.2	Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001305 // CNNVD: CNNVD-201501-745 // NVD: CVE-2014-8829

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8829
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-8829
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201501-745
value:	HIGH
Trust: 0.6
VULHUB:	VHN-76774
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-8829
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-76774
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-76774 // JVNDB: JVNDB-2015-001305 // CNNVD: CNNVD-201501-745 // NVD: CVE-2014-8829

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-76774 // JVNDB: JVNDB-2015-001305 // NVD: CVE-2014-8829

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-745

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201501-745

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001305

PATCH

title:	APPLE-SA-2015-01-27-4	url:	http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html	Trust: 0.8
title:	HT204244	url:	http://support.apple.com/en-us/HT204244	Trust: 0.8
title:	HT204244	url:	http://support.apple.com/ja-jp/HT204244	Trust: 0.8

sources: JVNDB: JVNDB-2015-001305

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8829	Trust: 2.8
db:	SECTRACK	id:	1031650	Trust: 1.1
db:	BID	id:	72328	Trust: 0.9
db:	JVN	id:	JVNVU96447236	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-001305	Trust: 0.8
db:	CNNVD	id:	CNNVD-201501-745	Trust: 0.7
db:	VULHUB	id:	VHN-76774	Trust: 0.1

sources: VULHUB: VHN-76774 // BID: 72328 // JVNDB: JVNDB-2015-001305 // CNNVD: CNNVD-201501-745 // NVD: CVE-2014-8829

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html	Trust: 1.1
url:	http://support.apple.com/ht204244	Trust: 1.1
url:	http://www.securitytracker.com/id/1031650	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/100523	Trust: 1.1
url:	http://www.apple.com/macosx/	Trust: 0.9
url:	https://support.apple.com/en-us/ht204659	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8829	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu96447236/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8829	Trust: 0.8
url:	https://www.securityfocus.com/bid/72328	Trust: 0.6

sources: VULHUB: VHN-76774 // BID: 72328 // JVNDB: JVNDB-2015-001305 // CNNVD: CNNVD-201501-745 // NVD: CVE-2014-8829

CREDITS

Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC

Trust: 0.6

sources: CNNVD: CNNVD-201501-745

SOURCES

db:	VULHUB	id:	VHN-76774
db:	BID	id:	72328
db:	JVNDB	id:	JVNDB-2015-001305
db:	CNNVD	id:	CNNVD-201501-745
db:	NVD	id:	CVE-2014-8829

LAST UPDATE DATE

2025-04-13T21:42:57.252000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-76774	date:	2017-09-08T00:00:00
db:	BID	id:	72328	date:	2019-04-12T18:00:00
db:	JVNDB	id:	JVNDB-2015-001305	date:	2015-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201501-745	date:	2019-04-15T00:00:00
db:	NVD	id:	CVE-2014-8829	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-76774	date:	2015-01-30T00:00:00
db:	BID	id:	72328	date:	2015-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2015-001305	date:	2015-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201501-745	date:	2015-01-27T00:00:00
db:	NVD	id:	CVE-2014-8829	date:	2015-01-30T11:59:39.047