Sign-up

ID

VAR-201804-1218


CVE

CVE-2018-4106


TITLE

Apple Mac OS X Terminal components Bracketed Paste Mode Vulnerable to arbitrary command insertion in pasted content

Trust: 0.8

sources: JVNDB: JVNDB-2018-003644

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Bracketed Paste Mode of the "Terminal" component. It allows user-assisted attackers to inject arbitrary commands within pasted content. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, bypass security restrictions, execute arbitrary code, obtain elevated privileges and perform unauthorized action; this may aid in launching further attacks. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. Terminal is one of the terminal components

Trust: 1.98

sources: NVD: CVE-2018-4106 // JVNDB: JVNDB-2018-003644 // BID: 103582 // VULHUB: VHN-134137

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.13.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.13.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.2.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.2.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.2

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.5

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.2

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.4

Trust: 0.6

vendor:applemodel:macosscope:eqversion:10.13.1

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.3

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.2

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.13.4

Trust: 0.3

sources: BID: 103582 // JVNDB: JVNDB-2018-003644 // CNNVD: CNNVD-201804-199 // NVD: CVE-2018-4106

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-4106
value: HIGH

Trust: 1.0

NVD: CVE-2018-4106
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201804-199
value: HIGH

Trust: 0.6

VULHUB: VHN-134137
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-4106
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-134137
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-4106
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-134137 // JVNDB: JVNDB-2018-003644 // CNNVD: CNNVD-201804-199 // NVD: CVE-2018-4106

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-134137 // JVNDB: JVNDB-2018-003644 // NVD: CVE-2018-4106

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-199

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-201804-199

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003644

PATCH
title:HT208692url:https://support.apple.com/en-us/HT208692
Trust: 0.8
title:HT208692url:https://support.apple.com/ja-jp/HT208692
Trust: 0.8
title:Apple macOS High Sierra Terminal Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83051
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003644 // 
            
            
            
            CNNVD: CNNVD-201804-199

EXTERNAL IDS
db:NVDid:CVE-2018-4106
Trust: 2.8
db:BIDid:103582
Trust: 2.0
db:SECTRACKid:1040608
Trust: 1.7
db:JVNid:JVNVU92378299
Trust: 0.8
db:JVNDBid:JVNDB-2018-003644
Trust: 0.8
db:CNNVDid:CNNVD-201804-199
Trust: 0.7
db:VULHUBid:VHN-134137
Trust: 0.1
sources:
            
            
            VULHUB: VHN-134137 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003644 // 
            
            
            
            CNNVD: CNNVD-201804-199 // 
            
            
            
            NVD: CVE-2018-4106

REFERENCES
url:http://www.securityfocus.com/bid/103582
Trust: 1.7
url:https://support.apple.com/ht208692
Trust: 1.7
url:http://www.securitytracker.com/id/1040608
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4106
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-4106
Trust: 0.8
url:https://jvn.jp/vu/jvnvu92378299/index.html
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-ie/ht208692
Trust: 0.3
sources:
            
            
            VULHUB: VHN-134137 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003644 // 
            
            
            
            CNNVD: CNNVD-201804-199 // 
            
            
            
            NVD: CVE-2018-4106

CREDITS
David J Beitey (@davidjb_), Geoffrey Bugniot, Simon Hosie, an anonymous researcher, Kamatham Chaitanya of ShiftLeft Inc., Haik Aftandilian of Mozilla, Axis and pjf of IceSword Lab of Qihoo 360, Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., Jonas Jens
Trust: 0.3
sources:
            
            
            BID: 103582

SOURCES
db:VULHUBid:VHN-134137
db:BIDid:103582
db:JVNDBid:JVNDB-2018-003644
db:CNNVDid:CNNVD-201804-199
db:NVDid:CVE-2018-4106

LAST UPDATE DATE
2024-11-23T20:57:40.516000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-134137date:2020-08-24T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003644date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-199date:2020-10-22T00:00:00
db:NVDid:CVE-2018-4106date:2024-11-21T04:06:46.517

SOURCES RELEASE DATE
db:VULHUBid:VHN-134137date:2018-04-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003644date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-199date:2018-04-03T00:00:00
db:NVDid:CVE-2018-4106date:2018-04-03T06:29:04.280