ID

VAR-201512-0155


CVE

CVE-2015-7056


TITLE

Apple Xcode of IDE SCM Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-006362

DESCRIPTION

IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging the presence of a file matching an ignore pattern. Apple Xcode is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. There is a security vulnerability in the IDE SCM of Apple Xcode 7.1.1 and earlier versions. The vulnerability stems from the fact that the program does not correctly identify the .gitignore file. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2015-12-08-6 Xcode 7.2 Xcode 7.2 is now available and addresses the following: Git Available for: OS X Yosemite v10.10.5 or later Impact: Multiple vulnerabilities existed in Git Description: Multiple vulnerabilities existed in Git versions prior to 2.5.4. These were addressed by updating Git to version 2.5.4. CVE-ID CVE-2015-7082 IDE SCM Available for: OS X Yosemite v10.10.5 or later Impact: Intentionally untracked files may be uploaded to repositories Description: Xcode did not honor the .gitignore directive. This issue was addressed by adding support to honor .gitignore file. CVE-ID CVE-2015-7056 : Stephen Lardieri otools Available for: OS X Yosemite v10.10.5 or later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of mach-o files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7049 : Proteas of Qihoo 360 Nirvan Team CVE-2015-7057 : Proteas of Qihoo 360 Nirvan Team Installation note: Xcode 7.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "7.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWZzRaAAoJEBcWfLTuOo7td2kP/Ag61Qpz8uA8MgClf9SbFJau FNMDPV7ZOLPPc+DA37rQIwQemSe8dkt4Jnc6TOcTQdR7+f+Mt0QgscDW9xlOlYT4 Ofg5h5XnrKQ02DBkptD4ms5RH8JAHDKCYj8WttlBnBVsJMb6H3s5Om6vfubXkb7t 6bdUMe7iCgRsGuRrBuzPfxjMzh2ilnWML1B6VJkRi6rMnWTW2a66BWvfqLL1Cv2h 1ybIaJi1wsw0lTxGIb+bNM8lg+EL4JLEV+DSJ6mFtDpF6dQBqndbxjopbO5l6LzT rnWtFTQQ1/6SAM11n9bbDOQj8w8QW3v0CAyad4HN+5Ayk/qnuJZ8o1ycSGAIrQgr HCzG8RELjK9ipgkdu5daXUc75SGVPuuwobQM6SNzrg5M6SVzIvVdSibTwfgnDvgu PQO6mBZXLewSBoWqJAQnoDJXExSJ67IE5RzXwvg5KQcF+81Toj48HUxxd98PKrnI gPbhf8QT9/asGupN4wh3JjN73/qm2BwpJsbPvVj42Ew1OnsBgldpEL1Ssl/2qX0O pPi1pfF6PIFQUrbloWyYC+lIJuydb3FZUYKLR6HSn7v7RrZu5n8Uvj+5VX3TyVOi 5WzXvbHd9L3exphb8SnITTUdZX6LzkUgRrQRvGWTzT/AfIHQRAyliyk7BgYRqzHH ObtqW74YB0YXaiw1ckGl =FxUB -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2015-7056 // JVNDB: JVNDB-2015-006362 // BID: 78727 // VULHUB: VHN-85017 // PACKETSTORM: 134747

AFFECTED PRODUCTS

vendor:applemodel:xcodescope:lteversion:7.1.1

Trust: 1.0

vendor:applemodel:xcodescope:ltversion:7.2 (os x yosemite v10.10.5 or later )

Trust: 0.8

vendor:applemodel:xcodescope:eqversion:7.1.1

Trust: 0.6

vendor:gitmodel:gitscope:eqversion:2.5.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.5.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.5.1

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.2.1

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.1.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.1.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.1

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.0.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.0.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.0

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.9.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.9.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.9

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.56

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.7.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.6.3.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.66

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.65

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.66

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.65

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.6.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.6.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.6

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.56

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.55

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.47

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.46

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.24

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.1.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.1.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.5.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.5.0

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.1.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.1.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.7.3.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.7.3.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.4.4.5

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.4.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:7.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:7.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:5.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.4

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.5

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.4

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.4

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11

Trust: 0.3

vendor:gitmodel:gitscope:neversion:2.5.4

Trust: 0.3

vendor:applemodel:xcodescope:neversion:7.2

Trust: 0.3

sources: BID: 78727 // JVNDB: JVNDB-2015-006362 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7056
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7056
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201512-345
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85017
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7056
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85017
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-85017 // JVNDB: JVNDB-2015-006362 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-85017 // JVNDB: JVNDB-2015-006362 // NVD: CVE-2015-7056

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201512-345

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201512-345

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006362

PATCH

title:Apple security updatesurl:https://support.apple.com/en-us/HT201222

Trust: 0.8

title:APPLE-SA-2015-12-08-6 Xcode 7.2url:http://lists.apple.com/archives/security-announce/2015/Dec/msg00004.html

Trust: 0.8

title:HT205642url:https://support.apple.com/en-us/HT205642

Trust: 0.8

title:HT205642url:http://support.apple.com/ja-jp/HT205642

Trust: 0.8

title:Apple Xcode IDE SCM Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59163

Trust: 0.6

sources: JVNDB: JVNDB-2015-006362 // CNNVD: CNNVD-201512-345

EXTERNAL IDS

db:NVDid:CVE-2015-7056

Trust: 2.9

db:SECTRACKid:1034340

Trust: 1.1

db:JVNid:JVNVU97526033

Trust: 0.8

db:JVNDBid:JVNDB-2015-006362

Trust: 0.8

db:CNNVDid:CNNVD-201512-345

Trust: 0.7

db:BIDid:78727

Trust: 0.3

db:VULHUBid:VHN-85017

Trust: 0.1

db:PACKETSTORMid:134747

Trust: 0.1

sources: VULHUB: VHN-85017 // BID: 78727 // JVNDB: JVNDB-2015-006362 // PACKETSTORM: 134747 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

REFERENCES

url:http://lists.apple.com/archives/security-announce/2015/dec/msg00004.html

Trust: 1.7

url:https://support.apple.com/ht205642

Trust: 1.7

url:http://www.securitytracker.com/id/1034340

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7056

Trust: 0.8

url:http://jvn.jp/vu/jvnvu97526033/

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7056

Trust: 0.8

url:http://git.or.cz/

Trust: 0.3

url:http://www.apple.com/macosx/

Trust: 0.3

url:https://developer.apple.com/xcode/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-7057

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7082

Trust: 0.1

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://gpgtools.org

Trust: 0.1

url:https://developer.apple.com/xcode/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7049

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7056

Trust: 0.1

sources: VULHUB: VHN-85017 // BID: 78727 // JVNDB: JVNDB-2015-006362 // PACKETSTORM: 134747 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

CREDITS

Stephen Lardieri and Proteas of Qihoo 360 Nirvan Team

Trust: 0.3

sources: BID: 78727

SOURCES

db:VULHUBid:VHN-85017
db:BIDid:78727
db:JVNDBid:JVNDB-2015-006362
db:PACKETSTORMid:134747
db:CNNVDid:CNNVD-201512-345
db:NVDid:CVE-2015-7056

LAST UPDATE DATE

2024-08-14T12:12:04.409000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-85017date:2016-12-07T00:00:00
db:BIDid:78727date:2015-12-08T00:00:00
db:JVNDBid:JVNDB-2015-006362date:2015-12-15T00:00:00
db:CNNVDid:CNNVD-201512-345date:2015-12-14T00:00:00
db:NVDid:CVE-2015-7056date:2016-12-07T18:22:21.337

SOURCES RELEASE DATE

db:VULHUBid:VHN-85017date:2015-12-11T00:00:00
db:BIDid:78727date:2015-12-08T00:00:00
db:JVNDBid:JVNDB-2015-006362date:2015-12-15T00:00:00
db:PACKETSTORMid:134747date:2015-12-10T17:11:47
db:CNNVDid:CNNVD-201512-345date:2015-12-14T00:00:00
db:NVDid:CVE-2015-7056date:2015-12-11T11:59:22.070