Apple Xcode < 5.0 (Mac OS X)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote host has an application installed that is prone to a
man-in-the-middle attack.

Description :

The remote Mac OS X host has Apple Xcode prior to 5.0 installed. It,
therefore, includes a version of git in which the imap-send command
reportedly does not verify that a server hostname matches the domain
name in its X.509 certificate. A man-in-the-middle attacker could
leverage this vulnerability to spoof SSL servers via an arbitrary
valid certificate.

See also :

http://support.apple.com/kb/HT5937
http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html
http://www.securityfocus.com/archive/1/528719/30/0/threaded

Solution :

Upgrade to Apple Xcode version 5.0 or later, available for OS X
Mountain Lion 10.8.4 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: MacOS X Local Security Checks

Nessus Plugin ID: 70093 ()

Bugtraq ID: 58148

CVE ID: CVE-2013-0308