Sign-up

ID

VAR-201507-0438


CVE

CVE-2015-3675


TITLE

Apple OS X Run on Apache HTTP Server In the default settings of HTTP Vulnerability bypassing authentication

Trust: 0.8

sources: JVNDB: JVNDB-2015-003374

DESCRIPTION

The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL. Supplementary information : CWE Vulnerability types by CWE-284: Improper Access Control ( Improper access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlExpertly crafted by a third party URL Through HTTP Authentication may be bypassed. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components. Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks. These issues affect OS X prior to 10.10.4. The vulnerability is caused by the program not enabling the mod_hfs_apple module

Trust: 2.07

sources: NVD: CVE-2015-3675 // JVNDB: JVNDB-2015-003374 // BID: 75493 // VULHUB: VHN-81636 // VULMON: CVE-2015-3675

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:lteversion:10.10.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10 to 10.10.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.10.3

Trust: 0.6

vendor:applemodel:quicktimescope:eqversion:7.6

Trust: 0.3

vendor:applemodel:quicktimescope:eqversion:7.3.4

Trust: 0.3

vendor:applemodel:quicktimescope:eqversion:7.2

Trust: 0.3

vendor:applemodel:quicktimescope:eqversion:7

Trust: 0.3

sources: BID: 75493 // JVNDB: JVNDB-2015-003374 // CNNVD: CNNVD-201507-036 // NVD: CVE-2015-3675

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3675
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-3675
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201507-036
value: MEDIUM

Trust: 0.6

VULHUB: VHN-81636
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-3675
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-3675
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-81636
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-81636 // VULMON: CVE-2015-3675 // JVNDB: JVNDB-2015-003374 // CNNVD: CNNVD-201507-036 // NVD: CVE-2015-3675

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-81636 // JVNDB: JVNDB-2015-003374 // NVD: CVE-2015-3675

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-036

TYPE

Unknown

Trust: 0.3

sources: BID: 75493

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003374

PATCH
title:APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update 2015-005url:http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html
Trust: 0.8
title:HT204942url:http://support.apple.com/en-us/HT204942
Trust: 0.8
title:HT204942url:http://support.apple.com/ja-jp/HT204942
Trust: 0.8
title:quicktime7.7.7_installerurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=56517
Trust: 0.6
title:osxupd10.10.4url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=56516
Trust: 0.6
title:iPhone7,1_8.4_12H143_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=56515
Trust: 0.6
title:Apple: OS X Yosemite v10.10.4 and Security Update 2015-005url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=50398602701d671602946005c7864211
Trust: 0.1
sources:
            
            
            VULMON: CVE-2015-3675 // 
            
            
            
            JVNDB: JVNDB-2015-003374 // 
            
            
            
            CNNVD: CNNVD-201507-036

EXTERNAL IDS
db:NVDid:CVE-2015-3675
Trust: 2.9
db:BIDid:75493
Trust: 1.5
db:SECTRACKid:1032760
Trust: 1.2
db:JVNDBid:JVNDB-2015-003374
Trust: 0.8
db:CNNVDid:CNNVD-201507-036
Trust: 0.7
db:VULHUBid:VHN-81636
Trust: 0.1
db:VULMONid:CVE-2015-3675
Trust: 0.1
sources:
            
            
            VULHUB: VHN-81636 // 
            
            
            
            VULMON: CVE-2015-3675 // 
            
            
            
            BID: 75493 // 
            
            
            
            JVNDB: JVNDB-2015-003374 // 
            
            
            
            CNNVD: CNNVD-201507-036 // 
            
            
            
            NVD: CVE-2015-3675

REFERENCES
url:http://support.apple.com/kb/ht204942
Trust: 1.9
url:http://lists.apple.com/archives/security-announce/2015/jun/msg00002.html
Trust: 1.8
url:http://www.securityfocus.com/bid/75493
Trust: 1.2
url:http://www.securitytracker.com/id/1032760
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3675
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3675
Trust: 0.8
url:http://www.apple.com/macosx/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/284.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.rapid7.com/db/vulnerabilities/apple-osx-adminframework-cve-2015-3718
Trust: 0.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=39581
Trust: 0.1
sources:
            
            
            VULHUB: VHN-81636 // 
            
            
            
            VULMON: CVE-2015-3675 // 
            
            
            
            BID: 75493 // 
            
            
            
            JVNDB: JVNDB-2015-003374 // 
            
            
            
            CNNVD: CNNVD-201507-036 // 
            
            
            
            NVD: CVE-2015-3675

CREDITS
Emil Kvarnhammar at TrueSec, Patrick Wardle of Synack, Dean Jerkovich of NCC Group, Apple, Chen Liang of KEEN Team, an anonymous researcher working with HP's Zero Day Initiative, Pawel Wylecial working with HP's Zero Day Initiative, John Villamil (@day6rea
Trust: 0.3
sources:
            
            
            BID: 75493

SOURCES
db:VULHUBid:VHN-81636
db:VULMONid:CVE-2015-3675
db:BIDid:75493
db:JVNDBid:JVNDB-2015-003374
db:CNNVDid:CNNVD-201507-036
db:NVDid:CVE-2015-3675

LAST UPDATE DATE
2025-04-13T20:21:35.981000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-81636date:2017-09-22T00:00:00
db:VULMONid:CVE-2015-3675date:2017-09-22T00:00:00
db:BIDid:75493date:2015-07-15T00:57:00
db:JVNDBid:JVNDB-2015-003374date:2015-07-07T00:00:00
db:CNNVDid:CNNVD-201507-036date:2015-07-03T00:00:00
db:NVDid:CVE-2015-3675date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-81636date:2015-07-03T00:00:00
db:VULMONid:CVE-2015-3675date:2015-07-03T00:00:00
db:BIDid:75493date:2015-06-30T00:00:00
db:JVNDBid:JVNDB-2015-003374date:2015-07-07T00:00:00
db:CNNVDid:CNNVD-201507-036date:2015-07-03T00:00:00
db:NVDid:CVE-2015-3675date:2015-07-03T01:59:32.073