Details of VAR-201509-0275

ID

VAR-201509-0275

CVE

CVE-2015-5920

TITLE

Apple iTunes of Software Update Encrypted in components SMB Vulnerabilities for which authentication information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-004793

DESCRIPTION

The Software Update component in Apple iTunes before 12.3 does not properly handle redirection, which allows man-in-the-middle attackers to discover encrypted SMB credentials via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlMan-in-the-middle attacks (man-in-the-middle attack) Was encrypted by SMB Authentication information may be obtained. Apple iTunes is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain potentially sensitive information. This may lead to further attacks. Versions prior to iTunes 12.3 are vulnerable. Apple iTunes is a set of media player applications of Apple (Apple), which is mainly used for playing and managing digital music and video files. Software Update is one of the application software update components. The vulnerability stems from the program's improper handling of redirection operations

Trust: 1.98

sources: NVD: CVE-2015-5920 // JVNDB: JVNDB-2015-004793 // BID: 76776 // VULHUB: VHN-83881

AFFECTED PRODUCTS

vendor:	apple	model:	itunes	scope:	lte	version:	12.2	Trust: 1.0
vendor:	apple	model:	itunes	scope:	eq	version:	12.2	Trust: 0.9
vendor:	apple	model:	itunes	scope:	lt	version:	12.3 (windows 7 or later )	Trust: 0.8
vendor:	esignal	model:	esignal	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.2.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.1.5	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.1.4	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.1.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.1.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.1.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0.5	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0.4	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.6.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.6.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.5.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.1.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.2.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.0.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.0.1.8	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.0.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.0	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	7.3.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	7.3.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	7.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	7.0.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	6.0.5	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	6.0.4	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	6.0.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	6.0	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	5.0	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	4.8	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	4.7.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	4.7	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	4.6	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	4.5	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	4.2.72	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.1.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	9.0.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	8.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	8.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	8.0.2.20	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	8.0	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	7.4	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	12.0.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0.0.163	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	11.0	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.7	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.6.1.7	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.6	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.5.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.5.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.5.1.42	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.5	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.4.1.10	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.4.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.4.0.80	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.4	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.3.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.3	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.2.2.12	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.2.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.2	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.1.1.4	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.1.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10.0	Trust: 0.3
vendor:	apple	model:	itunes	scope:	eq	version:	10	Trust: 0.3
vendor:	apple	model:	itunes	scope:	ne	version:	12.3	Trust: 0.3

sources: BID: 76776 // JVNDB: JVNDB-2015-004793 // CNNVD: CNNVD-201509-367 // NVD: CVE-2015-5920

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-5920
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-5920
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201509-367
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-83881
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-5920
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-83881
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-83881 // JVNDB: JVNDB-2015-004793 // CNNVD: CNNVD-201509-367 // NVD: CVE-2015-5920

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-004793 // NVD: CVE-2015-5920

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-367

TYPE

Design Error

Trust: 0.3

sources: BID: 76776

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004793

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	APPLE-SA-2015-09-16-3 iTunes 12.3	url:	http://lists.apple.com/archives/security-announce/2015/Sep/msg00003.html	Trust: 0.8
title:	HT205221	url:	https://support.apple.com/en-us/HT205221	Trust: 0.8
title:	HT205221	url:	http://support.apple.com/ja-jp/HT205221	Trust: 0.8
title:	iTunes6464Setup	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57671	Trust: 0.6
title:	iPhone7,1_9.0_13A344_Restore	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57670	Trust: 0.6

sources: JVNDB: JVNDB-2015-004793 // CNNVD: CNNVD-201509-367

EXTERNAL IDS

db:	NVD	id:	CVE-2015-5920	Trust: 2.8
db:	SECTRACK	id:	1033617	Trust: 1.1
db:	JVN	id:	JVNVU99970459	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-004793	Trust: 0.8
db:	CNNVD	id:	CNNVD-201509-367	Trust: 0.7
db:	BID	id:	76776	Trust: 0.4
db:	VULHUB	id:	VHN-83881	Trust: 0.1

sources: VULHUB: VHN-83881 // BID: 76776 // JVNDB: JVNDB-2015-004793 // CNNVD: CNNVD-201509-367 // NVD: CVE-2015-5920

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/sep/msg00003.html	Trust: 1.7
url:	https://support.apple.com/ht205221	Trust: 1.7
url:	http://www.securitytracker.com/id/1033617	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5920	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu99970459/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5920	Trust: 0.8
url:	https://www.apple.com/	Trust: 0.3
url:	http://www.apple.com/itunes/	Trust: 0.3
url:	https://support.apple.com/en-us/ht205221	Trust: 0.3

sources: VULHUB: VHN-83881 // BID: 76776 // JVNDB: JVNDB-2015-004793 // CNNVD: CNNVD-201509-367 // NVD: CVE-2015-5920

CREDITS

Cylance

Trust: 0.3

sources: BID: 76776

SOURCES

db:	VULHUB	id:	VHN-83881
db:	BID	id:	76776
db:	JVNDB	id:	JVNDB-2015-004793
db:	CNNVD	id:	CNNVD-201509-367
db:	NVD	id:	CVE-2015-5920

LAST UPDATE DATE

2025-04-13T20:06:14.822000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-83881	date:	2016-12-22T00:00:00
db:	BID	id:	76776	date:	2015-09-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-004793	date:	2015-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201509-367	date:	2015-09-22T00:00:00
db:	NVD	id:	CVE-2015-5920	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-83881	date:	2015-09-18T00:00:00
db:	BID	id:	76776	date:	2015-09-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-004793	date:	2015-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201509-367	date:	2015-09-22T00:00:00
db:	NVD	id:	CVE-2015-5920	date:	2015-09-18T12:00:59.587