Vulnerability CVE-2017-2513

Vulnerability Name:

CVE-2017-2513 (CCN-126034)

Assigned:

2016-12-01

Published:

2017-05-10

Updated:

2019-03-08

Summary:

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "SQLite" component. A use-after-free vulnerability allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SQL statement.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-416

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-2513

Source: BID
Type: Vendor Advisory
98468

Source: CCN
Type: BID-98468
Apple iOS/WatchOS/tvOS/macOS Multiple Security Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1038484

Source: XF
Type: UNKNOWN
apple-cve20172513-code-exec(126034)

Source: CCN
Type: Apple security document HT207797
About the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite

Source: CCN
Type: Apple security document HT207798
About the security content of iOS 10.3.2

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT207797

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT207798

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT207800

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT207801

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-2513

Vulnerable Configuration:

Configuration 1:

cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version <= 10.3.1)

OR cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:* (Version <= 10.12.4)

OR cpe:/o:apple:tvos:*:*:*:*:*:*:*:* (Version <= 10.2)

OR cpe:/o:apple:watchos:*:*:*:*:*:*:*:* (Version <= 3.2)

Configuration CCN 1:

cpe:/o:apple:macos_sierra:10.12.4:*:*:*:*:*:*:*

OR cpe:/o:apple:watchos:3.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.artful:def:20172513000	V	CVE-2017-2513 on Ubuntu 17.10 (artful) - medium.	2017-05-22
oval:com.ubuntu.bionic:def:201725130000000	V	CVE-2017-2513 on Ubuntu 18.04 LTS (bionic) - medium.	2017-05-22
oval:com.ubuntu.bionic:def:20172513000	V	CVE-2017-2513 on Ubuntu 18.04 LTS (bionic) - medium.	2017-05-22
oval:com.ubuntu.xenial:def:201725130000000	V	CVE-2017-2513 on Ubuntu 16.04 LTS (xenial) - medium.	2017-05-22
oval:com.ubuntu.trusty:def:20172513000	V	CVE-2017-2513 on Ubuntu 14.04 LTS (trusty) - medium.	2017-05-22
oval:com.ubuntu.xenial:def:20172513000	V	CVE-2017-2513 on Ubuntu 16.04 LTS (xenial) - medium.	2017-05-22

BACK