CVE-2014-1296

CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
appleCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
VendorProductVersion
appleiphone_os
𝑥
≤ 7.1
appleiphone_os
7.0
appleiphone_os
7.0.1
appleiphone_os
7.0.2
appleiphone_os
7.0.3
appleiphone_os
7.0.4
appleiphone_os
7.0.5
appleiphone_os
7.0.6
applemac_os_x
10.8.0
applemac_os_x
10.8.1
applemac_os_x
10.8.2
applemac_os_x
10.8.3
applemac_os_x
10.8.4
applemac_os_x
10.8.5
applemac_os_x
10.8.5:supplemental_update
applemac_os_x
𝑥
≤ 10.9.2
applemac_os_x
10.9
applemac_os_x
10.9.1
applemac_os_x
10.7.0
applemac_os_x
10.7.1
applemac_os_x
10.7.2
applemac_os_x
10.7.3
applemac_os_x
10.7.4
applemac_os_x
10.7.5
applemac_os_x_server
10.7.0
applemac_os_x_server
10.7.1
applemac_os_x_server
10.7.2
applemac_os_x_server
10.7.3
applemac_os_x_server
10.7.4
applemac_os_x_server
10.7.5
appletvos
𝑥
≤ 6.1
appletvos
6.0
appletvos
6.0.1
appletvos
6.0.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
http://archives.neohapsis.com/archives/bugtraq/2014-04/0135.html
http://archives.neohapsis.com/archives/bugtraq/2014-04/0136.html
http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
http://archives.neohapsis.com/archives/bugtraq/2014-04/0135.html
http://archives.neohapsis.com/archives/bugtraq/2014-04/0136.html