Sign-up

ID

VAR-201704-0782


CVE

CVE-2017-2426


TITLE

Apple macOS of iBooks Vulnerability in components that can obtain important information from local files

Trust: 0.8

sources: JVNDB: JVNDB-2017-002395

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "iBooks" component. It allows remote attackers to obtain sensitive information from local files via a file: URL in an iBooks file. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, obtain sensitive information, cause a denial-of-service condition, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks

Trust: 2.07

sources: NVD: CVE-2017-2426 // JVNDB: JVNDB-2017-002395 // BID: 97140 // VULHUB: VHN-110629 // VULMON: CVE-2017-2426

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.12.3

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.12.3

Trust: 1.0

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:16.10

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:16.04

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.3

Trust: 0.3

vendor:applemodel:security update yosemitescope:neversion:2017-0010

Trust: 0.3

vendor:applemodel:security update el capitanscope:neversion:2017-0010

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.12.4

Trust: 0.3

sources: BID: 97140 // JVNDB: JVNDB-2017-002395 // CNNVD: CNNVD-201704-068 // NVD: CVE-2017-2426

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2426
value: LOW

Trust: 1.0

NVD: CVE-2017-2426
value: LOW

Trust: 0.8

CNNVD: CNNVD-201704-068
value: MEDIUM

Trust: 0.6

VULHUB: VHN-110629
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-2426
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2426
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-110629
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2426
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-110629 // VULMON: CVE-2017-2426 // JVNDB: JVNDB-2017-002395 // CNNVD: CNNVD-201704-068 // NVD: CVE-2017-2426

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-110629 // JVNDB: JVNDB-2017-002395 // NVD: CVE-2017-2426

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-068

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201704-068

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002395

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:HT207615url:https://support.apple.com/en-us/HT207615
Trust: 0.8
title:HT207615url:https://support.apple.com/ja-jp/HT207615
Trust: 0.8
title:Apple macOS Sierra iBooks Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68961
Trust: 0.6
title:Awesome CVE PoCurl:https://github.com/lnick2023/nicenice 
Trust: 0.1
title:Awesome CVE PoCurl:https://github.com/qazbnm456/awesome-cve-poc 
Trust: 0.1
title:Awesome CVE PoCurl:https://github.com/xbl3/awesome-cve-poc_qazbnm456 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-2426 // 
            
            
            
            JVNDB: JVNDB-2017-002395 // 
            
            
            
            CNNVD: CNNVD-201704-068

EXTERNAL IDS
db:NVDid:CVE-2017-2426
Trust: 2.9
db:BIDid:97140
Trust: 2.1
db:SECTRACKid:1038138
Trust: 1.2
db:JVNid:JVNVU90482935
Trust: 0.8
db:JVNDBid:JVNDB-2017-002395
Trust: 0.8
db:CNNVDid:CNNVD-201704-068
Trust: 0.7
db:SEEBUGid:SSVID-92843
Trust: 0.1
db:VULHUBid:VHN-110629
Trust: 0.1
db:VULMONid:CVE-2017-2426
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110629 // 
            
            
            
            VULMON: CVE-2017-2426 // 
            
            
            
            BID: 97140 // 
            
            
            
            JVNDB: JVNDB-2017-002395 // 
            
            
            
            CNNVD: CNNVD-201704-068 // 
            
            
            
            NVD: CVE-2017-2426

REFERENCES
url:http://www.securityfocus.com/bid/97140
Trust: 1.9
url:https://support.apple.com/ht207615
Trust: 1.8
url:https://s1gnalcha0s.github.io/ibooks/epub/2017/03/27/this-book-reads-you-using-javascript.html
Trust: 1.2
url:http://www.securitytracker.com/id/1038138
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2426
Trust: 0.8
url:http://jvn.jp/vu/jvnvu90482935/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2426
Trust: 0.8
url:http://linkis.com/jbmr0
Trust: 0.6
url:https://www.apple.com/
Trust: 0.3
url:http://www.apple.com/macosx/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/200.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/lnick2023/nicenice
Trust: 0.1
url:https://github.com/qazbnm456/awesome-cve-poc
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110629 // 
            
            
            
            VULMON: CVE-2017-2426 // 
            
            
            
            BID: 97140 // 
            
            
            
            JVNDB: JVNDB-2017-002395 // 
            
            
            
            CNNVD: CNNVD-201704-068 // 
            
            
            
            NVD: CVE-2017-2426

CREDITS
Ulf Frisk, Apple, Brandon Azad, an anonymous researcher, Max Bazaliy, beist, Sergey Bylokhov, Simon Huang, pjf, Alex Fishman, Izik Eidus, Pekka Oikarainen, Matias Karhumaa, Marko Laakso, @cocoahuke, kimyok, Craig Arendt, Axis, sss, Orr A, Benjamin Gnahm, I
Trust: 0.3
sources:
            
            
            BID: 97140

SOURCES
db:VULHUBid:VHN-110629
db:VULMONid:CVE-2017-2426
db:BIDid:97140
db:JVNDBid:JVNDB-2017-002395
db:CNNVDid:CNNVD-201704-068
db:NVDid:CVE-2017-2426

LAST UPDATE DATE
2024-11-23T20:50:04.542000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110629date:2017-07-12T00:00:00
db:VULMONid:CVE-2017-2426date:2017-07-12T00:00:00
db:BIDid:97140date:2017-06-08T08:02:00
db:JVNDBid:JVNDB-2017-002395date:2017-04-12T00:00:00
db:CNNVDid:CNNVD-201704-068date:2017-04-06T00:00:00
db:NVDid:CVE-2017-2426date:2024-11-21T03:23:30.187

SOURCES RELEASE DATE
db:VULHUBid:VHN-110629date:2017-04-02T00:00:00
db:VULMONid:CVE-2017-2426date:2017-04-02T00:00:00
db:BIDid:97140date:2017-03-27T00:00:00
db:JVNDBid:JVNDB-2017-002395date:2017-04-12T00:00:00
db:CNNVDid:CNNVD-201704-068date:2017-04-06T00:00:00
db:NVDid:CVE-2017-2426date:2017-04-02T01:59:01.747