CVE-2011-1516

2011-11-1518:55:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2011-1516

apple

mac os x

sandbox profiles

remote attackers

network resources

security vulnerability

8.6 High

AI Score

Confidence

High

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

58.6%

JSON

The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in Apple Mac OS X 10.5.x through 10.7.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of osascript to send Apple events to the launchd daemon, a related issue to CVE-2008-7303.

CPENameOperatorVersion
apple:mac_os_xapple mac os xeq10.5.8
apple:mac_os_xapple mac os xeq10.6.8
apple:mac_os_xapple mac os xeq10.6.7
apple:mac_os_xapple mac os xeq10.5.6
apple:mac_os_xapple mac os xeq10.5.5
apple:mac_os_xapple mac os xeq10.6.3
apple:mac_os_xapple mac os xeq10.5.1
apple:mac_os_xapple mac os xeq10.7.2
apple:mac_os_xapple mac os xeq10.5.3
apple:mac_os_xapple mac os xeq10.5.0

CPE	Name	Operator	Version
apple:mac_os_x	apple mac os x	eq	10.5.8
apple:mac_os_x	apple mac os x	eq	10.6.8
apple:mac_os_x	apple mac os x	eq	10.6.7
apple:mac_os_x	apple mac os x	eq	10.5.6
apple:mac_os_x	apple mac os x	eq	10.5.5
apple:mac_os_x	apple mac os x	eq	10.6.3
apple:mac_os_x	apple mac os x	eq	10.5.1
apple:mac_os_x	apple mac os x	eq	10.7.2
apple:mac_os_x	apple mac os x	eq	10.5.3
apple:mac_os_x	apple mac os x	eq	10.5.0