Details of VAR-201512-0155

ID

VAR-201512-0155

CVE

CVE-2015-7056

TITLE

Apple Xcode of IDE SCM Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-006362

DESCRIPTION

IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging the presence of a file matching an ignore pattern. Apple Xcode is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. There is a security vulnerability in the IDE SCM of Apple Xcode 7.1.1 and earlier versions. The vulnerability stems from the fact that the program does not correctly identify the .gitignore file. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2015-12-08-6 Xcode 7.2 Xcode 7.2 is now available and addresses the following: Git Available for: OS X Yosemite v10.10.5 or later Impact: Multiple vulnerabilities existed in Git Description: Multiple vulnerabilities existed in Git versions prior to 2.5.4. These were addressed by updating Git to version 2.5.4. CVE-ID CVE-2015-7082 IDE SCM Available for: OS X Yosemite v10.10.5 or later Impact: Intentionally untracked files may be uploaded to repositories Description: Xcode did not honor the .gitignore directive. This issue was addressed by adding support to honor .gitignore file. CVE-ID CVE-2015-7056 : Stephen Lardieri otools Available for: OS X Yosemite v10.10.5 or later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of mach-o files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7049 : Proteas of Qihoo 360 Nirvan Team CVE-2015-7057 : Proteas of Qihoo 360 Nirvan Team Installation note: Xcode 7.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "7.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWZzRaAAoJEBcWfLTuOo7td2kP/Ag61Qpz8uA8MgClf9SbFJau FNMDPV7ZOLPPc+DA37rQIwQemSe8dkt4Jnc6TOcTQdR7+f+Mt0QgscDW9xlOlYT4 Ofg5h5XnrKQ02DBkptD4ms5RH8JAHDKCYj8WttlBnBVsJMb6H3s5Om6vfubXkb7t 6bdUMe7iCgRsGuRrBuzPfxjMzh2ilnWML1B6VJkRi6rMnWTW2a66BWvfqLL1Cv2h 1ybIaJi1wsw0lTxGIb+bNM8lg+EL4JLEV+DSJ6mFtDpF6dQBqndbxjopbO5l6LzT rnWtFTQQ1/6SAM11n9bbDOQj8w8QW3v0CAyad4HN+5Ayk/qnuJZ8o1ycSGAIrQgr HCzG8RELjK9ipgkdu5daXUc75SGVPuuwobQM6SNzrg5M6SVzIvVdSibTwfgnDvgu PQO6mBZXLewSBoWqJAQnoDJXExSJ67IE5RzXwvg5KQcF+81Toj48HUxxd98PKrnI gPbhf8QT9/asGupN4wh3JjN73/qm2BwpJsbPvVj42Ew1OnsBgldpEL1Ssl/2qX0O pPi1pfF6PIFQUrbloWyYC+lIJuydb3FZUYKLR6HSn7v7RrZu5n8Uvj+5VX3TyVOi 5WzXvbHd9L3exphb8SnITTUdZX6LzkUgRrQRvGWTzT/AfIHQRAyliyk7BgYRqzHH ObtqW74YB0YXaiw1ckGl =FxUB -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2015-7056 // JVNDB: JVNDB-2015-006362 // BID: 78727 // VULHUB: VHN-85017 // PACKETSTORM: 134747

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lte	version:	7.1.1	Trust: 1.0
vendor:	apple	model:	xcode	scope:	lt	version:	7.2 (os x yosemite v10.10.5 or later )	Trust: 0.8
vendor:	apple	model:	xcode	scope:	eq	version:	7.1.1	Trust: 0.6
vendor:	git	model:	git	scope:	eq	version:	2.5.3	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.5.2	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.5.1	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.5	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.2.1	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.2	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.1.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.1.3	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.1	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.0.5	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.0.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	2.0	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.9.5	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.9.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.9	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.8.56	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.7.2	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.6.3.2	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.66	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.65	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.66	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.65	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.6.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.6.3	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.6	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.56	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.55	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.5	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.47	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.46	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.5.24	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.1.5	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.1.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.8.5.5	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.8.5.0	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.8.1.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.8.1.3	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.8	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.7.3.4	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.7.3.3	Trust: 0.3
vendor:	git	model:	git	scope:	eq	version:	1.4.4.5	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	2.4.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	7.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	7.0	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	6.3	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	6.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	6.0	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	5.0	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.4	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.3.3	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.3.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.3.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.3	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.1.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	4.0	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.2.5	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.2.4	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.2.3	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.2.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.1.4	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.1.3	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.1.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	2.3	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	2.2	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apple	model:	xcode	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11	Trust: 0.3
vendor:	git	model:	git	scope:	ne	version:	2.5.4	Trust: 0.3
vendor:	apple	model:	xcode	scope:	ne	version:	7.2	Trust: 0.3

sources: BID: 78727 // JVNDB: JVNDB-2015-006362 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7056
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-7056
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201512-345
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-85017
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-7056
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-85017
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-85017 // JVNDB: JVNDB-2015-006362 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-85017 // JVNDB: JVNDB-2015-006362 // NVD: CVE-2015-7056

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201512-345

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201512-345

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006362

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	APPLE-SA-2015-12-08-6 Xcode 7.2	url:	http://lists.apple.com/archives/security-announce/2015/Dec/msg00004.html	Trust: 0.8
title:	HT205642	url:	https://support.apple.com/en-us/HT205642	Trust: 0.8
title:	HT205642	url:	http://support.apple.com/ja-jp/HT205642	Trust: 0.8
title:	Apple Xcode IDE SCM Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59163	Trust: 0.6

sources: JVNDB: JVNDB-2015-006362 // CNNVD: CNNVD-201512-345

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7056	Trust: 2.9
db:	SECTRACK	id:	1034340	Trust: 1.1
db:	JVN	id:	JVNVU97526033	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006362	Trust: 0.8
db:	CNNVD	id:	CNNVD-201512-345	Trust: 0.7
db:	BID	id:	78727	Trust: 0.3
db:	VULHUB	id:	VHN-85017	Trust: 0.1
db:	PACKETSTORM	id:	134747	Trust: 0.1

sources: VULHUB: VHN-85017 // BID: 78727 // JVNDB: JVNDB-2015-006362 // PACKETSTORM: 134747 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/dec/msg00004.html	Trust: 1.7
url:	https://support.apple.com/ht205642	Trust: 1.7
url:	http://www.securitytracker.com/id/1034340	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7056	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu97526033/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7056	Trust: 0.8
url:	http://git.or.cz/	Trust: 0.3
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	https://developer.apple.com/xcode/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7057	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7082	Trust: 0.1
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://gpgtools.org	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7049	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7056	Trust: 0.1

sources: VULHUB: VHN-85017 // BID: 78727 // JVNDB: JVNDB-2015-006362 // PACKETSTORM: 134747 // CNNVD: CNNVD-201512-345 // NVD: CVE-2015-7056

CREDITS

Stephen Lardieri and Proteas of Qihoo 360 Nirvan Team

Trust: 0.3

sources: BID: 78727

SOURCES

db:	VULHUB	id:	VHN-85017
db:	BID	id:	78727
db:	JVNDB	id:	JVNDB-2015-006362
db:	PACKETSTORM	id:	134747
db:	CNNVD	id:	CNNVD-201512-345
db:	NVD	id:	CVE-2015-7056

LAST UPDATE DATE

2024-08-14T12:12:04.409000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-85017	date:	2016-12-07T00:00:00
db:	BID	id:	78727	date:	2015-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2015-006362	date:	2015-12-15T00:00:00
db:	CNNVD	id:	CNNVD-201512-345	date:	2015-12-14T00:00:00
db:	NVD	id:	CVE-2015-7056	date:	2016-12-07T18:22:21.337

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-85017	date:	2015-12-11T00:00:00
db:	BID	id:	78727	date:	2015-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2015-006362	date:	2015-12-15T00:00:00
db:	PACKETSTORM	id:	134747	date:	2015-12-10T17:11:47
db:	CNNVD	id:	CNNVD-201512-345	date:	2015-12-14T00:00:00
db:	NVD	id:	CVE-2015-7056	date:	2015-12-11T11:59:22.070