Lucene search

[email protected]CVE-2015-6997

HistoryOct 23, 2015 - 10:59 a.m.

CVE-2015-6997

2015-10-2310:59:00

CWE-254

[email protected]

web.nvd.nist.gov

cve-2015-6997

x.509

certificate

trust

apple

ios

revocation

security vulnerability

5.5 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

52.8%

JSON

The X.509 certificate-trust implementation in Apple iOS before 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate.

CPENameOperatorVersion
apple:iphone_osapple iphone osle9.0.2
apple:watchosapple watchosle2.0

CPE	Name	Operator	Version
apple:iphone_os	apple iphone os	le	9.0.2
apple:watchos	apple watchos	le	2.0

References

lists.apple.com/archives/security-announce/2015/Dec/msg00002.html

lists.apple.com/archives/security-announce/2015/Oct/msg00002.html

www.securityfocus.com/bid/77268

www.securitytracker.com/id/1033929

support.apple.com/HT205370

support.apple.com/HT205641

5.5 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

52.8%

JSON

Related for CVE-2015-6997

prion1 securityvulns2 nessus2