CVE-2007-4680

CFNetwork in Apple Mac OS X 10.3.9 and 10.4 through 10.4.10 does not properly validate certificates, which allows remote attackers to spoof trusted SSL certificates via a man-in-the-middle attack...

CVE-2007-4679

CVE-2007-4679 affects Apple Mac OS X 10.4–10.4.10 via CFNetwork’s FTP implementation. Remote FTP servers can craft PASV responses to cause the client to connect to an attacker‑controlled host. Impact: partial integrity, no confidentiality or availability impact stated; exploit requires network ac...

CVE-2007-4680

CVE-2007-4680 affects Apple Mac OS X 10.3.9 and 10.4 up to 10.4.10. The flaw is in CFNetwork certificate validation, enabling a remote attacker to perform a man‑in‑the‑middle attack to spoof trusted SSL certificates and potentially leak credentials or other information. The issue is mitigated by ...

Mac OS X < 10.4.11 Multiple Vulnerabilities (Security Update 2007-008)

The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.11 or a version of Mac OS X 10.3 which does not have Security Update 2007-008 applied. This update contains several security fixes for the following programs : - Flash Player Plugin - AppleRAID - BIND - bzip2 -...

Crlf injection

CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 before 20070731 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in an unspecified context. NOTE: this can be leveraged for cross-site scripting XS...

Design/Logic Flaw

CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 does not properly validate ftp: URIs, which allows remote attackers to trigger the transmission of arbitrary FTP commands to arbitrary FTP servers...

CVE-2007-2404

CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 before 20070731 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in an unspecified context. NOTE: this can be leveraged for cross-site scripting XS...

CVE-2007-2403

CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 does not properly validate ftp: URIs, which allows remote attackers to trigger the transmission of arbitrary FTP commands to arbitrary FTP servers...

CVE-2007-2403

CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 does not properly validate ftp: URIs, which allows remote attackers to trigger the transmission of arbitrary FTP commands to arbitrary FTP servers...

CVE-2007-2404

CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 before 20070731 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in an unspecified context. NOTE: this can be leveraged for cross-site scripting XS...

CVE-2007-2403

CVE-2007-2403 affects CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10. The flaw arises from improper validation of ftp: URIs, allowing a remote attacker to cause the client to transmit arbitrary FTP commands to arbitrary FTP servers. Impact is described as partial confidentiality, integrity, and a...

CVE-2007-2404

CVE-2007-2404: CRLF injection vulnerability in CFNetwork on Mac OS X 10.3.9/10.4.10 prior to 20070731 allows remote attackers to inject arbitrary HTTP headers and perform HTTP response splitting; note this can enable XSS. Affected component: CFNetwork. Root cause: CRLF sequence handling in HTTP r...

Mac OS X Multiple Vulnerabilities (Security Update 2007-007)

The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. This update contains several security fixes for the following programs : - bzip2 - CFNetwork - CoreAudio - cscope - gnuzip - iChat - Kerberos - mDNSResponder - PDFKit - PHP -...

CFNetwork < 129.20 DoS

Binary data 4109.prm...

Null pointer dereference

The CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service application crash via a crafted HTTP 301 response, which results in a NULL pointer dereference...

CVE-2007-0464

The CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service application crash via a crafted HTTP 301 response, which results in a NULL pointer dereference...

CVE-2007-0464

The CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service application crash via a crafted HTTP 301 response, which results in a NULL pointer dereference...

CVE-2007-0464

CFNetwork vulnerability CVE-2007-0464 affects Apple Mac OS X 10.4.x (CFNetwork 129.19) where _CFNetConnectionWillEnqueueRequests incorrectly handles certain HTTP responses. A crafted HTTP 301 response can trigger a NULL pointer dereference, causing remote denial of service (application crash). Th...

Mac OS X CFNetwork library DoS

NULL pointer dereference on HTTP server response parsing...

MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service

Summary Apple provides the following description about CFNetwork: CFNetwork is a framework in the Core Services framework that provides a library of abstractions for network protocols. CFNetwork fails to handle certain HTTP responses properly, causing the CFNetConnectionWillEnqueueRequests functi...