7.5

CVE-2015-9231

Exploit

EPSS 0.78%
Veröffentlicht 20.09.2017 20:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords by reading DNS queries. A new (default) feature was added to iTerm2 version 3.0.0 (and unreleased 2.9.x versions such as 2.9.20150717) that resulted in a potential information disclosure. In an attempt to see whether the text under the cursor (or selected text) was a URL, the text would be sent as an unencrypted DNS query. This has the potential to result in passwords and other sensitive information being sent in cleartext without the user being aware.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Iterm2 ≫ Iterm2 Version2.9.20151111

Iterm2 ≫ Iterm2 Version2.9.20151229

Iterm2 ≫ Iterm2 Version2.9.20160102

Iterm2 ≫ Iterm2 Version2.9.20160113

Iterm2 ≫ Iterm2 Version2.9.20160206

Iterm2 ≫ Iterm2 Version2.9.20160313

Iterm2 ≫ Iterm2 Version2.9.20160422

Iterm2 ≫ Iterm2 Version2.9.20160426

Iterm2 ≫ Iterm2 Version2.9.20160510

Iterm2 ≫ Iterm2 Version2.9.20160523

Iterm2 ≫ Iterm2 Version3.0.0

Iterm2 ≫ Iterm2 Version3.0.0 Updatepreview

Iterm2 ≫ Iterm2 Version3.0.1 Updatepreview

Iterm2 ≫ Iterm2 Version3.0.2

Iterm2 ≫ Iterm2 Version3.0.3

Iterm2 ≫ Iterm2 Version3.0.4

Iterm2 ≫ Iterm2 Version3.0.5

Iterm2 ≫ Iterm2 Version3.0.6

Iterm2 ≫ Iterm2 Version3.0.7

Iterm2 ≫ Iterm2 Version3.0.8

Iterm2 ≫ Iterm2 Version3.0.9

Iterm2 ≫ Iterm2 Version3.0.10

Iterm2 ≫ Iterm2 Version3.0.11

Iterm2 ≫ Iterm2 Version3.0.12

Iterm2 ≫ Iterm2 Version3.0.13

Iterm2 ≫ Iterm2 Version3.0.14

Iterm2 ≫ Iterm2 Version3.0.15

Iterm2 ≫ Iterm2 Version3.0.20160531

Iterm2 ≫ Iterm2 Version3.1.0

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta1

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta10

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta2

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta3

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta4

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta5

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta6

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta7

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta8

Iterm2 ≫ Iterm2 Version3.1.0 Updatebeta9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.78%	0.733

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/gnachman/iTerm2/commit/33ccaf61e34ef32ffc9d6b2be5dd218f6bb55f51

Third Party Advisory

https://github.com/gnachman/iTerm2/commit/e4eb1063529deb575b75b396138d41554428d522

Third Party Advisory

Issue Tracking

https://gitlab.com/gnachman/iterm2/issues/3688

Third Party Advisory

Issue Tracking

https://gitlab.com/gnachman/iterm2/issues/5303

Third Party Advisory

Issue Tracking

https://gitlab.com/gnachman/iterm2/issues/6050

Third Party Advisory

Exploit

Issue Tracking

https://gitlab.com/gnachman/iterm2/issues/6068

Third Party Advisory

Issue Tracking

https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue

Third Party Advisory

https://news.ycombinator.com/item?id=15286956

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2015-9231

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-9231

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-9231

EUVD