CVE-2008-3434

EUVD-2008-3420
Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Affected Products (NVD)
VendorProductVersion
appleitunes
𝑥
≤ 6.0.5
appleitunes
1.0
appleitunes
1.1
appleitunes
1.1.1
appleitunes
1.1.2
appleitunes
2.0
appleitunes
2.0.1
appleitunes
2.0.2
appleitunes
2.0.3
appleitunes
2.0.4
appleitunes
3.0
appleitunes
3.0.1
appleitunes
4.0
appleitunes
4.0.1
appleitunes
4.1
appleitunes
4.2
appleitunes
4.5
appleitunes
4.6
appleitunes
4.7
appleitunes
4.7.1
appleitunes
4.8
appleitunes
4.9
appleitunes
5.0
appleitunes
5.0.1
appleitunes
6.0
appleitunes
6.0.1
appleitunes
6.0.2
appleitunes
6.0.3
appleitunes
6.0.4
appleitunes
6.0.4.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html
http://lists.apple.com/archives/Security-announce/2011/Nov/msg00003.html
http://support.apple.com/kb/HT5030
http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf
http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17136
http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html
http://lists.apple.com/archives/Security-announce/2011/Nov/msg00003.html
http://support.apple.com/kb/HT5030
http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf
http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17136