Sign-up

ID

VAR-201702-0227


CVE

CVE-2016-7628


TITLE

Apple macOS Vulnerabilities that prevent permission restrictions on asset components

Trust: 0.8

sources: JVNDB: JVNDB-2016-007400

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Assets" component, which allows local users to bypass intended permission restrictions and change a downloaded mobile asset via unspecified vectors. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. Assets is one of the library components that supports multi-picture selection. An attacker could exploit this vulnerability to alter the downloaded phone gallery

Trust: 2.07

sources: NVD: CVE-2016-7628 // JVNDB: JVNDB-2016-007400 // BID: 94903 // VULHUB: VHN-96448 // VULMON: CVE-2016-7628

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.12.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.12.1

Trust: 1.0

vendor:applemodel:macosscope:eqversion:10.12.1

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.12.2

Trust: 0.3

sources: BID: 94903 // JVNDB: JVNDB-2016-007400 // CNNVD: CNNVD-201612-487 // NVD: CVE-2016-7628

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-7628
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-7628
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201612-487
value: LOW

Trust: 0.6

VULHUB: VHN-96448
value: LOW

Trust: 0.1

VULMON: CVE-2016-7628
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2016-7628
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-96448
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-7628
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-96448 // VULMON: CVE-2016-7628 // JVNDB: JVNDB-2016-007400 // CNNVD: CNNVD-201612-487 // NVD: CVE-2016-7628

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-96448 // JVNDB: JVNDB-2016-007400 // NVD: CVE-2016-7628

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201612-487

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201612-487

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007400

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:APPLE-SA-2016-12-13-1 macOS 10.12.2url:https://lists.apple.com/archives/security-announce/2016/Dec/msg00003.html
Trust: 0.8
title:HT207423url:https://support.apple.com/en-us/HT207423
Trust: 0.8
title:HT207423url:https://support.apple.com/ja-jp/HT207423
Trust: 0.8
title:Apple macOS Sierra Assets Fixes for component security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66521
Trust: 0.6
title:Apple: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemiteurl:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=123eba6ece0d39a424cb657303ba745a
Trust: 0.1
sources:
            
            
            VULMON: CVE-2016-7628 // 
            
            
            
            JVNDB: JVNDB-2016-007400 // 
            
            
            
            CNNVD: CNNVD-201612-487

EXTERNAL IDS
db:NVDid:CVE-2016-7628
Trust: 2.9
db:BIDid:94903
Trust: 2.1
db:SECTRACKid:1037469
Trust: 1.2
db:JVNid:JVNVU97133642
Trust: 0.8
db:JVNDBid:JVNDB-2016-007400
Trust: 0.8
db:CNNVDid:CNNVD-201612-487
Trust: 0.7
db:VULHUBid:VHN-96448
Trust: 0.1
db:VULMONid:CVE-2016-7628
Trust: 0.1
sources:
            
            
            VULHUB: VHN-96448 // 
            
            
            
            VULMON: CVE-2016-7628 // 
            
            
            
            BID: 94903 // 
            
            
            
            JVNDB: JVNDB-2016-007400 // 
            
            
            
            CNNVD: CNNVD-201612-487 // 
            
            
            
            NVD: CVE-2016-7628

REFERENCES
url:http://www.securityfocus.com/bid/94903
Trust: 1.9
url:https://support.apple.com/ht207423
Trust: 1.8
url:http://www.securitytracker.com/id/1037469
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-7628
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97133642/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-7628
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:http://www.apple.com/macosx/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/264.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://support.apple.com/kb/ht207423
Trust: 0.1
url:https://tools.cisco.com/security/center/viewalert.x?alertid=52090
Trust: 0.1
sources:
            
            
            VULHUB: VHN-96448 // 
            
            
            
            VULMON: CVE-2016-7628 // 
            
            
            
            BID: 94903 // 
            
            
            
            JVNDB: JVNDB-2016-007400 // 
            
            
            
            CNNVD: CNNVD-201612-487 // 
            
            
            
            NVD: CVE-2016-7628

CREDITS
daybreaker@Minionz working with Trend Micro's Zero Day Initiative, an anonymous researcher, Pekka Oikarainen, Matias Karhumaa and Marko Laakso of Synopsys Software Integrity Group, daybreaker of Minionz, Radu Motspan working with Trend Micro's Zero Day In
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201612-487

SOURCES
db:VULHUBid:VHN-96448
db:VULMONid:CVE-2016-7628
db:BIDid:94903
db:JVNDBid:JVNDB-2016-007400
db:CNNVDid:CNNVD-201612-487
db:NVDid:CVE-2016-7628

LAST UPDATE DATE
2025-04-20T19:51:54.201000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-96448date:2017-07-27T00:00:00
db:VULMONid:CVE-2016-7628date:2017-07-27T00:00:00
db:BIDid:94903date:2016-12-20T00:09:00
db:JVNDBid:JVNDB-2016-007400date:2017-02-28T00:00:00
db:CNNVDid:CNNVD-201612-487date:2017-03-01T00:00:00
db:NVDid:CVE-2016-7628date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-96448date:2017-02-20T00:00:00
db:VULMONid:CVE-2016-7628date:2017-02-20T00:00:00
db:BIDid:94903date:2016-12-13T00:00:00
db:JVNDBid:JVNDB-2016-007400date:2017-02-28T00:00:00
db:CNNVDid:CNNVD-201612-487date:2016-12-15T00:00:00
db:NVDid:CVE-2016-7628date:2017-02-20T08:59:03.057