Apple Xcode < 5.0 (Mac OS X)

Medium Nessus Plugin ID 70093

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 2.5

Synopsis

The remote host has an application installed that is prone to a man-in-the-middle attack.

Description

The remote Mac OS X host has Apple Xcode prior to 5.0 installed. It, therefore, includes a version of git in which the imap-send command reportedly does not verify that a server hostname matches the domain name in its X.509 certificate. A man-in-the-middle attacker could leverage this vulnerability to spoof SSL servers via an arbitrary valid certificate.

Solution

Upgrade to Apple Xcode version 5.0 or later, available for OS X Mountain Lion 10.8.4 or later.

See Also

http://support.apple.com/kb/HT5937

http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html

http://www.securityfocus.com/archive/1/528719/30/0/threaded

Plugin Details

Severity: Medium

ID: 70093

File Name: macosx_xcode_5_0.nasl

Version: 1.3

Type: local

Agent: macosx

Published: 2013/09/24

Updated: 2020/05/05

Dependencies: 61412

Risk Information

Risk Factor: Medium

VPR Score: 2.5

CVSS Score Source: CVE-2013-0308

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:apple:xcode

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, installed_sw/Apple Xcode

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/09/18

Vulnerability Publication Date: 2013/02/19

Reference Information

CVE: CVE-2013-0308

BID: 58148

APPLE-SA: APPLE-SA-2013-09-18-3