Sign-up

ID

VAR-201501-0270


CVE

CVE-2014-8833


TITLE

Apple OS X of SpotlightIndex Vulnerability in reading search results

Trust: 0.8

sources: JVNDB: JVNDB-2015-001310

DESCRIPTION

SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. SpotlightIndex is one of the components that can quickly retrieve the entire system (including files, emails, contacts, etc.) in the input box. The vulnerability is due to the program not properly performing deserialization when accessing certain caches

Trust: 1.98

sources: NVD: CVE-2014-8833 // JVNDB: JVNDB-2015-001310 // BID: 72328 // VULHUB: VHN-76778

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001310 // CNNVD: CNNVD-201501-735 // NVD: CVE-2014-8833

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8833
value: LOW

Trust: 1.0

NVD: CVE-2014-8833
value: LOW

Trust: 0.8

CNNVD: CNNVD-201501-735
value: LOW

Trust: 0.6

VULHUB: VHN-76778
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-8833
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76778
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76778 // JVNDB: JVNDB-2015-001310 // CNNVD: CNNVD-201501-735 // NVD: CVE-2014-8833

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-76778 // JVNDB: JVNDB-2015-001310 // NVD: CVE-2014-8833

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-735

TYPE

Unknown

Trust: 0.3

sources: BID: 72328

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001310

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53587
Trust: 0.6
title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53586
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-001310 // 
            
            
            
            CNNVD: CNNVD-201501-735

EXTERNAL IDS
db:NVDid:CVE-2014-8833
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001310
Trust: 0.8
db:CNNVDid:CNNVD-201501-735
Trust: 0.7
db:VULHUBid:VHN-76778
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76778 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001310 // 
            
            
            
            CNNVD: CNNVD-201501-735 // 
            
            
            
            NVD: CVE-2014-8833

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100529
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8833
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8833
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76778 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001310 // 
            
            
            
            CNNVD: CNNVD-201501-735 // 
            
            
            
            NVD: CVE-2014-8833

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-735

SOURCES
db:VULHUBid:VHN-76778
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001310
db:CNNVDid:CNNVD-201501-735
db:NVDid:CVE-2014-8833

LAST UPDATE DATE
2025-04-13T21:30:30.621000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76778date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001310date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-735date:2019-04-15T00:00:00
db:NVDid:CVE-2014-8833date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76778date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001310date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-735date:2015-01-27T00:00:00
db:NVDid:CVE-2014-8833date:2015-01-30T11:59:43