CVE-2017-2387 - OpenCVE

The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Apple Music

Configuration 1 [-]

cpe:2.3:a:apple:apple_music:1.2.1:*:*:*:*:android:*:*

References

Link	Resource
http://www.info-sec.ca/advisories/Apple-Music.html	Third Party Advisory
http://www.securityfocus.com/bid/97390	Third Party Advisory VDB Entry
https://support.apple.com/HT207605	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apple

Published: 2017-04-07T11:12:00

Updated: 2017-04-10T09:57:01

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2387

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-04-07T11:59:00.153

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-2387

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "Apple Music before 2.0 for Android", "vendor": "n/a", "versions": [{"status": "affected", "version": "Apple Music before 2.0 for Android"}]}], "datePublic": "2017-04-07T00:00:00", "descriptions": [{"lang": "en", "value": "The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."}], "problemTypes": [{"descriptions": [{"description": "missing SSL certificate check", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-04-10T09:57:01", "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/HT207605"}, {"tags": ["x_refsource_MISC"], "url": "http://www.info-sec.ca/advisories/Apple-Music.html"}, {"name": "97390", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97390"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "product-security@apple.com", "ID": "CVE-2017-2387", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apple Music before 2.0 for Android", "version": {"version_data": [{"version_value": "Apple Music before 2.0 for Android"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "missing SSL certificate check"}]}]}, "references": {"reference_data": [{"name": "https://support.apple.com/HT207605", "refsource": "CONFIRM", "url": "https://support.apple.com/HT207605"}, {"name": "http://www.info-sec.ca/advisories/Apple-Music.html", "refsource": "MISC", "url": "http://www.info-sec.ca/advisories/Apple-Music.html"}, {"name": "97390", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97390"}]}}}}, "cveMetadata": {"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "assignerShortName": "apple", "cveId": "CVE-2017-2387", "datePublished": "2017-04-07T11:12:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2017-04-10T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:apple_music:1.2.1:*:*:*:*:android:*:*", "matchCriteriaId": "C91A88A8-A763-466B-819A-506AC0313496", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."}, {"lang": "es", "value": "La aplicaci\u00f3n Apple Music (tambi\u00e9n conocida como com.apple.android.music) en versiones anteriores a 2.0 para Android no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener informaci\u00f3n sensible a trav\u00e9s de un certificado manipulado."}], "id": "CVE-2017-2387", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-07T11:59:00.153", "references": [{"source": "product-security@apple.com", "tags": ["Third Party Advisory"], "url": "http://www.info-sec.ca/advisories/Apple-Music.html"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97390"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/HT207605"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}