Lucene search

Tenable8958.PRM

HistoryOct 23, 2015 - 12:00 a.m.

iTunes for Windows < 12.3 Multiple Vulnerabilities

2015-10-2300:00:00

Tenable

www.tenable.com

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.126 Low

EPSS

Percentile

95.5%

JSON

Versions of iTunes earlier than 12.3 are affected by multiple vulnerabilities which include :

A flaw exists in Microsoft Foundation Class’s handling of library loading due to the use of a fixed path. An attacker can place a custom version of the file or library in the path, and the program will load it before the legitimate version. Thus, an attacker can leverage this flaw to execute custom code. (CVE-2010-3190)
International Components for Unicode for C/C++ (ICU4C) contains several flaws. An overflow condition exists in the resolveImplicitLevels() function in ‘ubidi.c’, which is triggered as user-supplied input is not properly validated. Additionally, an integer truncation flaw exists in the same function in ‘ubidi.c’. Either flaw may allow an attacker to crash an application linked against the library or potentially execute arbitrary code. (CVE-2014-8146, CVE-2014-8147, CVE-2015-5922)
A flaw exists in CoreText that is triggered as user-supplied input is not properly validated when handling text and font files. This may allow a context-dependent attacker can corrupt memory and potentially execute arbitrary code. (CVE-2015-1157, CVE-2015-5874, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-5755, CVE-2015-5761)
A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-1152, CVE-2015-1153, CVE-2015-3730, CVE-2015-3731, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-5789, CVE-2015-5790, CVE-2015-5791, CVE-2015-5792, CVE-2015-5793, CVE-2015-5794, CVE-2015-5795, CVE-2015-5796, CVE-2015-5797, CVE-2015-5798, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5808, CVE-2015-5809, CVE-2015-5810, CVE-2015-5811, CVE-2015-5812, CVE-2015-5813, CVE-2015-5814, CVE-2015-5815, CVE-2015-5816, CVE-2015-5817, CVE-2015-5818, CVE-2015-5819, CVE-2015-5821, CVE-2015-5822, CVE-2015-5823)
An unspecified flaw exists that is triggered during the handling of network connection redirects. This may allow a remote man-in-the-middle attacker to gain access to hashed SMB credential information. (CVE-2015-5920)

Binary data 8958.prm

VendorProductVersionCPE
appleitunescpe:/a:apple:itunes

Vendor	Product	Version	CPE
apple	itunes		cpe:/a:apple:itunes

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3190

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1152

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1157

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3686

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3687

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3688

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5789

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5790

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5791

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5792

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5793

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5795

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5796

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5797

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5798

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5799

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5800

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5802

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5803

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5804

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5805

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5806

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5807

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5808

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5810

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5811

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5812

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5813

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5814

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5815

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5816

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5817

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5818

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5819

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5821

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5823

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5874

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5920

support.apple.com/en-us/HT205221

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.126 Low

EPSS

Percentile

95.5%

JSON

iTunes for Windows < 12.3 Multiple Vulnerabilities

References

Related