Sign-up

ID

VAR-201501-0269


CVE

CVE-2014-8832


TITLE

Apple OS X of Spotlight Vulnerability in which important information is obtained in the index function

Trust: 0.8

sources: JVNDB: JVNDB-2015-001309

DESCRIPTION

The indexing functionality in Spotlight in Apple OS X before 10.10.2 writes memory contents to an external hard drive, which allows local users to obtain sensitive information by reading from this drive. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. Spotlight is one of the components that can quickly retrieve the entire system (including files, emails, contacts, etc.) in the input box

Trust: 1.98

sources: NVD: CVE-2014-8832 // JVNDB: JVNDB-2015-001309 // BID: 72328 // VULHUB: VHN-76777

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.8.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001309 // CNNVD: CNNVD-201501-734 // NVD: CVE-2014-8832

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8832
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8832
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201501-734
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76777
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8832
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76777
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76777 // JVNDB: JVNDB-2015-001309 // CNNVD: CNNVD-201501-734 // NVD: CVE-2014-8832

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-76777 // JVNDB: JVNDB-2015-001309 // NVD: CVE-2014-8832

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-734

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201501-734

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001309

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001309

EXTERNAL IDS
db:NVDid:CVE-2014-8832
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001309
Trust: 0.8
db:CNNVDid:CNNVD-201501-734
Trust: 0.7
db:VULHUBid:VHN-76777
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76777 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001309 // 
            
            
            
            CNNVD: CNNVD-201501-734 // 
            
            
            
            NVD: CVE-2014-8832

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100528
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8832
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8832
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76777 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001309 // 
            
            
            
            CNNVD: CNNVD-201501-734 // 
            
            
            
            NVD: CVE-2014-8832

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-734

SOURCES
db:VULHUBid:VHN-76777
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001309
db:CNNVDid:CNNVD-201501-734
db:NVDid:CVE-2014-8832

LAST UPDATE DATE
2025-04-13T20:12:58.634000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76777date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001309date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-734date:2019-04-15T00:00:00
db:NVDid:CVE-2014-8832date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76777date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001309date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-734date:2015-01-27T00:00:00
db:NVDid:CVE-2014-8832date:2015-01-30T11:59:42.030