Vulnerability CVE-2006-5681 - CERT Civis.Net

Vulnerability Name:

CVE-2006-5681 (CCN-30978)

Assigned:

2006-12-18

Published:

2006-12-18

Updated:

2011-03-08

Summary:

QuickTime for Java on Mac OS X 10.4 through 10.4.8, when used with Quartz Composer, allows remote attackers to obtain sensitive information (screen images) via a Java applet that accesses images that are being rendered by other embedded QuickTime objects.
Successful exploitation requires that the affected products are used in conjunction with Quartz Composer.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
1.9 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2006-5681

Source: CCN
Type: Apple Security Update 2006-008
About Security Update 2006-008

Source: MISC
Type: Patch
http://docs.info.apple.com/article.html?artnum=304916

Source: APPLE
Type: Patch
APPLE-SA-2006-12-19

Source: CCN
Type: SA23438
Apple Mac OS X Quicktime/Quartz Composer Information Disclosure

Source: SECUNIA
Type: UNKNOWN
23438

Source: CCN
Type: SECTRACK ID: 1017402
QuickTime Quartz Composer Composition Bug Lets Remote Users Obtain Information from the Target User`s System

Source: SECTRACK
Type: UNKNOWN
1017402

Source: CCN
Type: Apple QuickTime Web site
Apple - Quicktime

Source: OSVDB
Type: UNKNOWN
32380

Source: CCN
Type: OSVDB ID: 32380
Apple Mac OS X Quicktime/Quartz Composer Information Disclosure

Source: BID
Type: UNKNOWN
21672

Source: CCN
Type: BID-21672
Apple Mac OS X Quicktime For Java Information Disclosure Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-5072

Source: XF
Type: UNKNOWN
quicktime-java-applet-information-disclosure(30978)

Vulnerable Configuration:

Configuration 1:

cpe:/o:apple:mac_os_x:10.4:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.6:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.7:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.6:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.7:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.4.8:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apple:quicktime:*:*:*:*:*:*:*:*

AND

cpe:/o:apple:mac_os_x_server:10.4.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.4.8:*:*:*:*:*:*:*

Denotes that component is vulnerable