Sign-up

ID

VAR-201501-0276


CVE

CVE-2014-8839


TITLE

Apple OS X of Spotlight Of recipients in IP Vulnerability to get address

Trust: 0.8

sources: JVNDB: JVNDB-2015-001316

DESCRIPTION

Spotlight in Apple OS X before 10.10.2 does not enforce the Mail "Load remote content in messages" configuration, which allows remote attackers to discover recipient IP addresses by including an inline image in an HTML e-mail message and logging HTTP requests for this image's URL. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. Spotlight is one of the components that can quickly retrieve the entire system (including files, emails, contacts, etc.) in the input box

Trust: 1.98

sources: NVD: CVE-2014-8839 // JVNDB: JVNDB-2015-001316 // BID: 72328 // VULHUB: VHN-76784

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001316 // CNNVD: CNNVD-201501-730 // NVD: CVE-2014-8839

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8839
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8839
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201501-730
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76784
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8839
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76784
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76784 // JVNDB: JVNDB-2015-001316 // CNNVD: CNNVD-201501-730 // NVD: CVE-2014-8839

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-76784 // JVNDB: JVNDB-2015-001316 // NVD: CVE-2014-8839

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-730

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201501-730

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001316

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001316

EXTERNAL IDS
db:NVDid:CVE-2014-8839
Trust: 2.8
db:SECTRACKid:1031521
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001316
Trust: 0.8
db:CNNVDid:CNNVD-201501-730
Trust: 0.7
db:VULHUBid:VHN-76784
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76784 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001316 // 
            
            
            
            CNNVD: CNNVD-201501-730 // 
            
            
            
            NVD: CVE-2014-8839

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://heise.de/newsticker/meldung/datenschutzpanne-in-mac-os-x-yosemite-2514198.html
Trust: 1.1
url:http://www.theregister.co.uk/2015/01/10/spotlight_caught_spreading_your_delicates/
Trust: 1.1
url:http://securitytracker.com/id/1031521
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100527
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8839
Trust: 0.8
url:http://jvn.jp/vu/jvnvu96447236/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8839
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76784 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001316 // 
            
            
            
            CNNVD: CNNVD-201501-730 // 
            
            
            
            NVD: CVE-2014-8839

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-730

SOURCES
db:VULHUBid:VHN-76784
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001316
db:CNNVDid:CNNVD-201501-730
db:NVDid:CVE-2014-8839

LAST UPDATE DATE
2025-04-13T22:14:54.487000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76784date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001316date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-730date:2019-04-15T00:00:00
db:NVDid:CVE-2014-8839date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76784date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001316date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-730date:2015-01-30T00:00:00
db:NVDid:CVE-2014-8839date:2015-01-30T11:59:48.423