Details of VAR-201508-0418

ID

VAR-201508-0418

CVE

CVE-2015-3774

TITLE

Apple OS X Vulnerability in obtaining important information in a dictionary application

Trust: 0.8

sources: JVNDB: JVNDB-2015-004271

DESCRIPTION

The Dictionary app in Apple OS X before 10.10.5 does not use HTTPS, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof word definitions by modifying the client-server data stream. Apple Mac OS X is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks. Note: The issue described by CVE-2015-3778 has been removed. The issue is discussed in BID 83590 (Apple Mac OS X and iOS CVE-2015-3778 Information Disclosure Vulnerability). These issues affect OS X prior to 10.10.5. Dictionary app is one of the dictionary application components

Trust: 1.98

sources: NVD: CVE-2015-3774 // JVNDB: JVNDB-2015-004271 // BID: 76340 // VULHUB: VHN-81735

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.10.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10 to 10.10.4	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10.4	Trust: 0.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.6	Trust: 0.3
vendor:	apple	model:	quicktime	scope:	eq	version:	7.3.4	Trust: 0.3
vendor:	apple	model:	quicktime	scope:	eq	version:	7.2	Trust: 0.3
vendor:	apple	model:	quicktime	scope:	eq	version:	7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.9	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.8	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.10	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	5.0	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	4.4	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	4.3	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	4.2	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	4.1	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	4.0	Trust: 0.3

sources: BID: 76340 // JVNDB: JVNDB-2015-004271 // CNNVD: CNNVD-201508-265 // NVD: CVE-2015-3774

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-3774
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-3774
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201508-265
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-81735
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-3774
severity:	MEDIUM
baseScore:	4.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-81735
severity:	MEDIUM
baseScore:	4.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-81735 // JVNDB: JVNDB-2015-004271 // CNNVD: CNNVD-201508-265 // NVD: CVE-2015-3774

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-81735 // JVNDB: JVNDB-2015-004271 // NVD: CVE-2015-3774

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201508-265

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201508-265

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004271

PATCH

title:	Apple security updates	url:	http://support.apple.com/en-us/HT1222	Trust: 0.8
title:	APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006	url:	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	Trust: 0.8
title:	HT205031	url:	http://support.apple.com/en-us/HT205031	Trust: 0.8
title:	HT205031	url:	http://support.apple.com/ja-jp/HT205031	Trust: 0.8

sources: JVNDB: JVNDB-2015-004271

EXTERNAL IDS

db:	NVD	id:	CVE-2015-3774	Trust: 2.8
db:	BID	id:	76340	Trust: 2.0
db:	SECTRACK	id:	1033276	Trust: 1.1
db:	JVN	id:	JVNVU94440136	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-004271	Trust: 0.8
db:	CNNVD	id:	CNNVD-201508-265	Trust: 0.7
db:	ZDI	id:	ZDI-15-390	Trust: 0.3
db:	VULHUB	id:	VHN-81735	Trust: 0.1

sources: VULHUB: VHN-81735 // BID: 76340 // JVNDB: JVNDB-2015-004271 // CNNVD: CNNVD-201508-265 // NVD: CVE-2015-3774

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/76340	Trust: 1.7
url:	https://support.apple.com/kb/ht205031	Trust: 1.7
url:	http://www.securitytracker.com/id/1033276	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3774	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu94440136/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3774	Trust: 0.8
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-15-390/	Trust: 0.3
url:	http://prod.lists.apple.com/archives/security-announce/2015/aug/msg00004.html	Trust: 0.3
url:	https://support.apple.com/en-ie/ht205031	Trust: 0.3

sources: VULHUB: VHN-81735 // BID: 76340 // JVNDB: JVNDB-2015-004271 // CNNVD: CNNVD-201508-265 // NVD: CVE-2015-3774

CREDITS

An anonymous researcher working with HP's Zero Day Initiative, Jeffrey Paul of EEQJ, Jan Bee of the Google Security Team, Maxime VILLARD of m00nbsd, Ryan Pentney and Richard Johnson of Cisco Talos, Xiaoyong Wu of the Evernote Security Team, JieTao Yang of KeenTeam

Trust: 0.6

sources: CNNVD: CNNVD-201508-265

SOURCES

db:	VULHUB	id:	VHN-81735
db:	BID	id:	76340
db:	JVNDB	id:	JVNDB-2015-004271
db:	CNNVD	id:	CNNVD-201508-265
db:	NVD	id:	CVE-2015-3774

LAST UPDATE DATE

2025-04-13T20:33:45.479000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-81735	date:	2017-09-21T00:00:00
db:	BID	id:	76340	date:	2016-07-05T21:35:00
db:	JVNDB	id:	JVNDB-2015-004271	date:	2015-08-21T00:00:00
db:	CNNVD	id:	CNNVD-201508-265	date:	2015-08-18T00:00:00
db:	NVD	id:	CVE-2015-3774	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-81735	date:	2015-08-16T00:00:00
db:	BID	id:	76340	date:	2015-08-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-004271	date:	2015-08-21T00:00:00
db:	CNNVD	id:	CNNVD-201508-265	date:	2015-08-18T00:00:00
db:	NVD	id:	CVE-2015-3774	date:	2015-08-16T23:59:47.127