Sign-up

ID

VAR-201509-0088


CVE

CVE-2015-5860


TITLE

Apple iOS of CFNetwork HTTPProtocol In the component Safari Vulnerabilities that bypass the private browsing protection mechanism

Trust: 0.8

sources: JVNDB: JVNDB-2015-004816

DESCRIPTION

The CFNetwork HTTPProtocol component in Apple iOS before 9 mishandles HSTS state, which allows remote attackers to bypass the Safari private-browsing protection mechanism and track users via a crafted web site. Apple iOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to bypass security restrictions, obtain sensitive information, execute arbitrary code, cause a denial-of-service condition, perform unauthorized actions and gain system privileges; this may aid in launching further attacks. Versions prior to iOS 9 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. The vulnerability stems from the fact that the program does not correctly handle the HSTS state

Trust: 2.07

sources: NVD: CVE-2015-5860 // JVNDB: JVNDB-2015-004816 // BID: 76764 // VULHUB: VHN-83821 // VULMON: CVE-2015-5860

AFFECTED PRODUCTS

vendor:applemodel:watchosscope:eqversion:1.0

Trust: 1.6

vendor:applemodel:iphone osscope:lteversion:8.4.1

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.6.8 thats all 10.11

Trust: 0.8

vendor:applemodel:iosscope:ltversion:9 (ipad 2 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:9 (iphone 4s or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:9 (ipod touch first 5 after generation )

Trust: 0.8

vendor:applemodel:iphone osscope:eqversion:8.4.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:0

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:0

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.8

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.7

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.10

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.0

Trust: 0.3

sources: BID: 76764 // JVNDB: JVNDB-2015-004816 // CNNVD: CNNVD-201509-339 // NVD: CVE-2015-5860

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-5860
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-5860
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201509-339
value: MEDIUM

Trust: 0.6

VULHUB: VHN-83821
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-5860
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-5860
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-83821
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-83821 // VULMON: CVE-2015-5860 // JVNDB: JVNDB-2015-004816 // CNNVD: CNNVD-201509-339 // NVD: CVE-2015-5860

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-83821 // JVNDB: JVNDB-2015-004816 // NVD: CVE-2015-5860

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-339

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201509-339

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004816

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:APPLE-SA-2015-09-16-1 iOS 9url:http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html
Trust: 0.8
title:APPLE-SA-2015-09-30-3 OS X El Capitan 10.11url:http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
Trust: 0.8
title:HT205212url:https://support.apple.com/en-us/HT205212
Trust: 0.8
title:HT205267url:https://support.apple.com/en-us/HT205267
Trust: 0.8
title:HT205267url:http://support.apple.com/ja-jp/HT205267
Trust: 0.8
title:HT205212url:http://support.apple.com/ja-jp/HT205212
Trust: 0.8
title:Apple: OS X El Capitan v10.11url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=e88bab658248444f5dffc23fd95859e7
Trust: 0.1
sources:
            
            
            VULMON: CVE-2015-5860 // 
            
            
            
            JVNDB: JVNDB-2015-004816

EXTERNAL IDS
db:NVDid:CVE-2015-5860
Trust: 2.9
db:BIDid:76764
Trust: 1.5
db:SECTRACKid:1033609
Trust: 1.2
db:JVNid:JVNVU97220341
Trust: 0.8
db:JVNid:JVNVU99970459
Trust: 0.8
db:JVNDBid:JVNDB-2015-004816
Trust: 0.8
db:CNNVDid:CNNVD-201509-339
Trust: 0.7
db:VULHUBid:VHN-83821
Trust: 0.1
db:VULMONid:CVE-2015-5860
Trust: 0.1
sources:
            
            
            VULHUB: VHN-83821 // 
            
            
            
            VULMON: CVE-2015-5860 // 
            
            
            
            BID: 76764 // 
            
            
            
            JVNDB: JVNDB-2015-004816 // 
            
            
            
            CNNVD: CNNVD-201509-339 // 
            
            
            
            NVD: CVE-2015-5860

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/sep/msg00001.html
Trust: 1.8
url:https://support.apple.com/ht205212
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2015/sep/msg00008.html
Trust: 1.2
url:http://www.securityfocus.com/bid/76764
Trust: 1.2
url:https://support.apple.com/ht205267
Trust: 1.2
url:http://www.securitytracker.com/id/1033609
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5860
Trust: 0.8
url:http://jvn.jp/vu/jvnvu99970459/index.html
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97220341/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5860
Trust: 0.8
url:http://www.apple.com/ios/
Trust: 0.3
url:http://www.apple.com/ipad/
Trust: 0.3
url:http://www.apple.com/iphone/
Trust: 0.3
url:http://www.apple.com/ipodtouch/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/200.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://support.apple.com/kb/ht205267
Trust: 0.1
url:https://www.rapid7.com/db/vulnerabilities/apple-ios-cve-2015-5861
Trust: 0.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=41307
Trust: 0.1
sources:
            
            
            VULHUB: VHN-83821 // 
            
            
            
            VULMON: CVE-2015-5860 // 
            
            
            
            BID: 76764 // 
            
            
            
            JVNDB: JVNDB-2015-004816 // 
            
            
            
            CNNVD: CNNVD-201509-339 // 
            
            
            
            NVD: CVE-2015-5860

CREDITS
Xiaofeng Zheng, Tsinghua University, Sam Greenhalgh, Andreas Kurtz, Erling Ellingsen, Amit Klein, Timothy J. Wood, Jin Han, Su Mon Kywe, Qiang Yan, Robert Deng, Debin Gao, Yingjiu Li, Feng Bao and Jianying Zhou, 1x7e1, beist of grayhash, Filippo Bigarella,
Trust: 0.3
sources:
            
            
            BID: 76764

SOURCES
db:VULHUBid:VHN-83821
db:VULMONid:CVE-2015-5860
db:BIDid:76764
db:JVNDBid:JVNDB-2015-004816
db:CNNVDid:CNNVD-201509-339
db:NVDid:CVE-2015-5860

LAST UPDATE DATE
2025-04-13T22:25:15.786000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-83821date:2016-12-22T00:00:00
db:VULMONid:CVE-2015-5860date:2016-12-22T00:00:00
db:BIDid:76764date:2015-11-03T19:44:00
db:JVNDBid:JVNDB-2015-004816date:2015-10-06T00:00:00
db:CNNVDid:CNNVD-201509-339date:2015-09-21T00:00:00
db:NVDid:CVE-2015-5860date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-83821date:2015-09-18T00:00:00
db:VULMONid:CVE-2015-5860date:2015-09-18T00:00:00
db:BIDid:76764date:2015-09-16T00:00:00
db:JVNDBid:JVNDB-2015-004816date:2015-09-25T00:00:00
db:CNNVDid:CNNVD-201509-339date:2015-09-21T00:00:00
db:NVDid:CVE-2015-5860date:2015-09-18T11:00:08.580