CVE-2014-4450

The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

CVSS v2.0 1.9 LOW

1.9^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/archive/1/533747
http://www.securityfocus.com/bid/70660
http://www.securitytracker.com/id/1031077
https://exchange.xforce.ibmcloud.com/vulnerabilities/97666
https://support.apple.com/kb/HT6541	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-10-22 10:55

Updated : 2017-08-29 01:35

NVD link : CVE-2014-4450

Mitre link : CVE-2014-4450

CVE.ORG link : CVE-2014-4450

JSON object : View

Products Affected

apple

iphone_os

CWE

CWE-255

Credentials Management Errors

{"id": "CVE-2014-4450", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 1.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-10-22T10:55:02.717", "references": [{"url": "http://www.securityfocus.com/archive/1/533747", "source": "product-security@apple.com"}, {"url": "http://www.securityfocus.com/bid/70660", "source": "product-security@apple.com"}, {"url": "http://www.securitytracker.com/id/1031077", "source": "product-security@apple.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97666", "source": "product-security@apple.com"}, {"url": "https://support.apple.com/kb/HT6541", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements."}, {"lang": "es", "value": "La caracteristica QuickType en el subsistema Keyboards en Apple iOS anterior a 8.1 recoge datos de la previsi\u00f3n de escritura de campos con un atributo de autocompletado apagado, lo que facilita a atacantes descubrir credenciales mediante la lectura de los valores de credenciales dentro de elementos no intencionados de entradas DOM."}], "lastModified": "2017-08-29T01:35:03.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58021BEB-65A6-42FC-8A36-F7A2BB4C1F76", "versionEndIncluding": "8.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@apple.com"}