Sign-up

ID

VAR-201510-0188


CVE

CVE-2015-7031


TITLE

Apple OS X Server of Web Service Vulnerabilities that prevent access restrictions on components

Trust: 0.8

sources: JVNDB: JVNDB-2015-005538

DESCRIPTION

The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors. Apple Mac OS X Server is prone to a security bypass vulnerability. Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2015-10-21-8 OS X Server 5.0.15 OS X Server 5.0.15 is now available and addresses the following: BIND Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.1 or later Impact: Multiple vulnerabilities in BIND Description: Multiple vulnerabilities existed in BIND versions prior to 9.9.7-P3, one of which may have allowed a remote attacker to cause a denial of service. These issues were addressed by updating BIND to version 9.9.7-P3. This issue was addressed by adding the HTTP header field reference to the configuration file. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWKAhrAAoJEBcWfLTuOo7tsN8QAIP+kwPIqIYE16y6TpbqrM00 8AcWebFjTbFVe1dfy415t4Brt125M+knKio+Q7UGxXi2xDHo1ceNTZyzfnok6oU7 DS6D9a70696wsauc9Lqc3nzkdIc2lLZRc0B1mouc0DGFnqYSEXjz8vO+sZLzOKmk 0G+v+MkXkj2rQhpBF3CmyQIfnFFv6Cw72LLk1pD+7u3b9HAiWcr4+Xt455xmMRX0 4Yg/a4o/m3Ly8QE+4TnKK9uml9GANEscUB3aSIWe5EZUb/2nU/dFgQKpBcMk75B4 hl29OuGedICeufffIvB0v/m/izZA8+WnOePn/+vHBAhklr1I5GkZrS84Nq/B1KI7 IrdjtSEs8aincUEdQSTcPj0N1kjUGKXTZzFWKcF0zUx4mRMc0isTbEwMk5i7/mIe VGE1hwEC7M5Bv5SYOhUh+NbiN6naJLdGOeiEVuWFS7lBFlbM/6A5WHASO7+LKyGE yj8IWeLX8V0vs6FUQ8Nd+foK0RLJ7P4l0n9SVsO/4+08Ky10lsbKHVL+1SkID/+l NZLj74g5hENq2EoFV6Jzk8FaRCLzTA0SAWB7eSZoQ2+o6vb05mfK0Lo+Qg2HGfVG dApFNrRBbAS5Y9Gxxjhs1rWohXA7CCnQrJWvY/dS/95VhfOqoYEwvHbeyF6g3pOD r/5hVszdp29eso8Ti48p =icYN -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2015-7031 // JVNDB: JVNDB-2015-005538 // BID: 77272 // VULHUB: VHN-84992 // PACKETSTORM: 134059

AFFECTED PRODUCTS

vendor:applemodel:mac os x serverscope:lteversion:5.0.14

Trust: 1.0

vendor:applemodel:macos serverscope:ltversion:5.0.15 (os x el capitan 10.11.1 or later )

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:5.0.15 (os x yosemite 10.10.5)

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:5.0.14

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x5.0.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x4.1.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.2.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.2.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.2.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.1.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x4.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.0

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x5.0.15

Trust: 0.3

sources: BID: 77272 // JVNDB: JVNDB-2015-005538 // CNNVD: CNNVD-201510-507 // NVD: CVE-2015-7031

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7031
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7031
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-507
value: MEDIUM

Trust: 0.6

VULHUB: VHN-84992
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7031
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-84992
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-84992 // JVNDB: JVNDB-2015-005538 // CNNVD: CNNVD-201510-507 // NVD: CVE-2015-7031

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-84992 // JVNDB: JVNDB-2015-005538 // NVD: CVE-2015-7031

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-507

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201510-507

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-005538

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:APPLE-SA-2015-10-21-8 OS X Server 5.0.15url:http://lists.apple.com/archives/security-announce/2015/Oct/msg00009.html
Trust: 0.8
title:HT205376url:https://support.apple.com/en-us/HT205376
Trust: 0.8
title:HT205376url:http://support.apple.com/ja-jp/HT205376
Trust: 0.8
title:Apple OS X Server Web Service Fixes for component permissions licensing and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58351
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-005538 // 
            
            
            
            CNNVD: CNNVD-201510-507

EXTERNAL IDS
db:NVDid:CVE-2015-7031
Trust: 2.9
db:SECTRACKid:1033933
Trust: 1.1
db:JVNid:JVNVU92655282
Trust: 0.8
db:JVNDBid:JVNDB-2015-005538
Trust: 0.8
db:CNNVDid:CNNVD-201510-507
Trust: 0.6
db:BIDid:77272
Trust: 0.4
db:VULHUBid:VHN-84992
Trust: 0.1
db:PACKETSTORMid:134059
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84992 // 
            
            
            
            BID: 77272 // 
            
            
            
            JVNDB: JVNDB-2015-005538 // 
            
            
            
            PACKETSTORM: 134059 // 
            
            
            
            CNNVD: CNNVD-201510-507 // 
            
            
            
            NVD: CVE-2015-7031

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/oct/msg00009.html
Trust: 1.7
url:https://support.apple.com/ht205376
Trust: 1.7
url:http://www.securitytracker.com/id/1033933
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7031
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92655282/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7031
Trust: 0.8
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://www.apple.com/server/macosx/
Trust: 0.3
url:https://support.apple.com/kb/ht201222
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-5722
Trust: 0.1
url:https://gpgtools.org
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7031
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-5986
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84992 // 
            
            
            
            BID: 77272 // 
            
            
            
            JVNDB: JVNDB-2015-005538 // 
            
            
            
            PACKETSTORM: 134059 // 
            
            
            
            CNNVD: CNNVD-201510-507 // 
            
            
            
            NVD: CVE-2015-7031

CREDITS
Anonymous
Trust: 0.3
sources:
            
            
            BID: 77272

SOURCES
db:VULHUBid:VHN-84992
db:BIDid:77272
db:JVNDBid:JVNDB-2015-005538
db:PACKETSTORMid:134059
db:CNNVDid:CNNVD-201510-507
db:NVDid:CVE-2015-7031

LAST UPDATE DATE
2025-04-13T22:23:58.711000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-84992date:2016-12-24T00:00:00
db:BIDid:77272date:2015-10-21T00:00:00
db:JVNDBid:JVNDB-2015-005538date:2015-10-26T00:00:00
db:CNNVDid:CNNVD-201510-507date:2015-10-26T00:00:00
db:NVDid:CVE-2015-7031date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-84992date:2015-10-23T00:00:00
db:BIDid:77272date:2015-10-21T00:00:00
db:JVNDBid:JVNDB-2015-005538date:2015-10-26T00:00:00
db:PACKETSTORMid:134059date:2015-10-21T22:22:22
db:CNNVDid:CNNVD-201510-507date:2015-10-26T00:00:00
db:NVDid:CVE-2015-7031date:2015-10-23T10:59:16.177