Sign-up

ID

VAR-201804-1219


CVE

CVE-2018-4107


TITLE

Apple Mac OS X of PDFKit In the component PDF In the document URL Vulnerability that circumvents intended restrictions on

Trust: 0.8

sources: JVNDB: JVNDB-2018-003645

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "PDFKit" component. It allows remote attackers to bypass intended restrictions on visiting URLs within a PDF document. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, bypass security restrictions, execute arbitrary code, obtain elevated privileges and perform unauthorized action; this may aid in launching further attacks. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. PDFKit is one of the PDF document generation components

Trust: 1.98

sources: NVD: CVE-2018-4107 // JVNDB: JVNDB-2018-003645 // BID: 103582 // VULHUB: VHN-134138

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.13.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.13.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.4.2

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.5

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.6

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.3.9

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.7

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.4.3

Trust: 0.6

vendor:applemodel:macosscope:eqversion:10.13.1

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.3

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.2

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.13.4

Trust: 0.3

sources: BID: 103582 // JVNDB: JVNDB-2018-003645 // CNNVD: CNNVD-201804-198 // NVD: CVE-2018-4107

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-4107
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-4107
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201804-198
value: MEDIUM

Trust: 0.6

VULHUB: VHN-134138
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-4107
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-134138
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-4107
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-134138 // JVNDB: JVNDB-2018-003645 // CNNVD: CNNVD-201804-198 // NVD: CVE-2018-4107

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-134138 // JVNDB: JVNDB-2018-003645 // NVD: CVE-2018-4107

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-198

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201804-198

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003645

PATCH
title:HT208692url:https://support.apple.com/en-us/HT208692
Trust: 0.8
title:HT208692url:https://support.apple.com/ja-jp/HT208692
Trust: 0.8
title:Apple macOS High Sierra PDFKit Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83050
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003645 // 
            
            
            
            CNNVD: CNNVD-201804-198

EXTERNAL IDS
db:NVDid:CVE-2018-4107
Trust: 2.8
db:BIDid:103582
Trust: 1.4
db:SECTRACKid:1040608
Trust: 1.1
db:JVNid:JVNVU92378299
Trust: 0.8
db:JVNDBid:JVNDB-2018-003645
Trust: 0.8
db:CNNVDid:CNNVD-201804-198
Trust: 0.6
db:VULHUBid:VHN-134138
Trust: 0.1
sources:
            
            
            VULHUB: VHN-134138 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003645 // 
            
            
            
            CNNVD: CNNVD-201804-198 // 
            
            
            
            NVD: CVE-2018-4107

REFERENCES
url:https://support.apple.com/ht208692
Trust: 1.7
url:http://www.securityfocus.com/bid/103582
Trust: 1.1
url:http://www.securitytracker.com/id/1040608
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4107
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-4107
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92378299/index.html
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-ie/ht208692
Trust: 0.3
sources:
            
            
            VULHUB: VHN-134138 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003645 // 
            
            
            
            CNNVD: CNNVD-201804-198 // 
            
            
            
            NVD: CVE-2018-4107

CREDITS
David J Beitey (@davidjb_), Geoffrey Bugniot, Simon Hosie, an anonymous researcher, Kamatham Chaitanya of ShiftLeft Inc., Haik Aftandilian of Mozilla, Axis and pjf of IceSword Lab of Qihoo 360, Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., Jonas Jens
Trust: 0.3
sources:
            
            
            BID: 103582

SOURCES
db:VULHUBid:VHN-134138
db:BIDid:103582
db:JVNDBid:JVNDB-2018-003645
db:CNNVDid:CNNVD-201804-198
db:NVDid:CVE-2018-4107

LAST UPDATE DATE
2024-11-23T19:43:20.688000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-134138date:2018-05-04T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003645date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-198date:2018-04-09T00:00:00
db:NVDid:CVE-2018-4107date:2024-11-21T04:06:46.630

SOURCES RELEASE DATE
db:VULHUBid:VHN-134138date:2018-04-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003645date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-198date:2018-04-03T00:00:00
db:NVDid:CVE-2018-4107date:2018-04-03T06:29:04.327