Description
The Keychain implementation in Apple Mac OS X 10.6.8 and earlier does not properly handle an untrusted attribute of a Certification Authority certificate, which makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via an Extended Validation certificate, as demonstrated by https access with Safari.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/49429
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5130
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1026002
Various Sources x_refsource_misc
http://www.computerworld.com/s/article/9219669/Mac_OS_X_can_t_properly_revoke_dodgy_digital_certificates
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/69556
Scores
EPSS
0.0086
EPSS Percentile
54.2%
Details
CWE
CWE-20
Status
published
Products (18)
apple/mac_os_x
10.6.0
apple/mac_os_x
10.6.1
apple/mac_os_x
10.6.2
apple/mac_os_x
10.6.3
apple/mac_os_x
10.6.4
apple/mac_os_x
10.6.5
apple/mac_os_x
10.6.6
apple/mac_os_x
10.6.7
apple/mac_os_x
< 10.6.8
apple/mac_os_x_server
10.6.0
... and 8 more
Published
Sep 12, 2011
Tracked Since
Feb 18, 2026