#VU43544 Input validation error in iTunes - CVE-2012-3699

Cybersecurity Help s.r.o.

Published: 2012-09-13 | Updated: 2020-08-11

Vulnerability identifier: #VU43544

Vulnerability risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-3699

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iTunes
Client/Desktop applications / Multimedia software

Vendor: Apple Inc.

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1.

Mitigation
Install update from vendor's website.

Vulnerable software versions

iTunes: 4.0.0 - 10.6.1

External links
https://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
https://lists.apple.com/archives/security-announce/2012/Sep/msg00005.html
https://osvdb.org/85381
https://support.apple.com/kb/HT5485
https://support.apple.com/kb/HT5502
https://www.securityfocus.com/bid/55534
https://exchange.xforce.ibmcloud.com/vulnerabilities/78560
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17288

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apple iTunes