CVE-2014-4374 : NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an exte

NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published 2014-09-18 10:55:09

Updated 2017-08-29 01:34:58

Source Apple Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Exploit prediction scoring system (EPSS) score for CVE-2014-4374

Probability of exploitation activity in the next 30 days: 0.37%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-4374

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

References for CVE-2014-4374

http://archives.neohapsis.com/archives/bugtraq/2014-09/0106.html

Vendor Advisory

CVEs referencing this url
http://support.apple.com/kb/HT6441

About the security content of iOS 8 - Apple Support

CVEs referencing this url
http://support.apple.com/kb/HT6443

About the security content of OS X Mavericks v10.9.5 and Security Update 2014-004 - Apple Support
Vendor Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/96077

Apple iOS NSXMLParser information disclosure CVE-2014-4374 Vulnerability Report
http://www.securityfocus.com/bid/69905

Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability
http://www.securitytracker.com/id/1030866

Apple iOS Multiple Bugs Let Remote Users Obtain Information and Execute Arbitrary Code andLocal Users Gain Elevated Privileges and Deny Service - SecurityTracker

CVEs referencing this url
http://www.securityfocus.com/bid/69882

RETIRED: Apple iOS Prior to iOS 8 and TV Prior to TV 7 Multiple Vulnerabilities

CVEs referencing this url

Products affected by CVE-2014-4374

Apple » Mac Os X
Versions up to, including, (<=) 10.9.4
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions up to, including, (<=) 7.1.2
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0
cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0.1
cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0.2
cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0.4
cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0.3
cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0.5
cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.0.6
cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.1
cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os » Version: 7.1.1
cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-4374

Exploit prediction scoring system (EPSS) score for CVE-2014-4374

CVSS scores for CVE-2014-4374

References for CVE-2014-4374

Products affected by CVE-2014-4374