#VU31427 Input validation error in tvOS - CVE-2017-2479

Cybersecurity Help s.r.o.

Published: 2017-04-02 | Updated: 2020-07-20

Vulnerability identifier: #VU31427

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2017-2479

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
tvOS
Operating systems & Components / Operating system

Vendor: Apple Inc.

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tvOS: 10.0 - 10.1.1

External links
https://www.securityfocus.com/bid/97176
https://www.securitytracker.com/id/1038157
https://support.apple.com/HT207599
https://support.apple.com/HT207600
https://support.apple.com/HT207601
https://support.apple.com/HT207607
https://support.apple.com/HT207617
https://www.exploit-db.com/exploits/41866/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apple tvOS