Kaspersky LabKLA12007KLA12007 Multiple vulnerabilities in Apple iTunes
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
79.6%
Multiple vulnerabilities were found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, obtain sensitive information.
Below is a complete list of vulnerabilities:
- An out-of-bounds write vulnerability in ImageIO can be exploited via special crafted file to cause denial of service and execute arbitrary code.
- A use after free vulnerability in WebKit can be exploiter remotely via special crafted webpage to execute arbitrary code.
- An out-of-bounds read vulnerability in ImageIO can be exploited remotely via special crafted image to execute arbitrary code.
- A security vulnerability in SQLite can be exploited remotely to cause denial of service.
- A use after free vulnerability in libxml2 can be exploited remotely via special crafted file to execute arbitrary code.
- An out-of-bounds write vulnerability in WebKit can be exploited renotely via special crafted web page to execute arbitrary code.
- A memory corruption vulnerability in CoreText can be exploited remotely via special crafted text file to execute arbitrary code.
- A security bypass vulnerability in SQLite can be exploited via special crafted SQL query to cause denial of service.
- A memory corruption vulnerability in SQLite can be exploited remotely to execute arbitrary code.
- An information disclosure vulnerability in SQLite can be exploited remotely to obtain sensitive information.
- Denial of service vulnerability in ImageIO can be exploited to cause denial of service.
Original advisories
About the security content of iTunes 12.10.9 for Windows
Related products
CVE list
CVE-2020-9876 critical
CVE-2020-9951 critical
CVE-2020-9961 critical
CVE-2020-13435 high
CVE-2020-13434 high
CVE-2020-9981 critical
CVE-2020-9983 critical
CVE-2020-9947 critical
CVE-2020-9999 critical
CVE-2020-13631 high
CVE-2020-13630 high
CVE-2020-9849 high
CVE-2020-36521 high
Solution
Update to the latest version
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- XSS/CSS
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
- OAF
Overwrite arbitrary files. Exploitation of vulnerabilities with this impact can lead to loss of some information, contained in overwritten files.
Affected Products
- Apple iTunes earlier than 12.10.9
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
79.6%