OpenCVE

Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:N/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Mac Os X Mac Os X Server

Configuration 1 [-]

OR	cpe:2.3:o:apple:mac_os_x:10.4.11:::::::*
	cpe:2.3:o:apple:mac_os_x_server:10.4.11:::::::*

No data.

References

Link	Providers
http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
http://secunia.com/advisories/31882
http://securitytracker.com/id?1020878
http://www.securityfocus.com/bid/31189
http://www.us-cert.gov/cas/techalerts/TA08-260A.html
http://www.vupen.com/english/advisories/2008/2584
https://exchange.xforce.ibmcloud.com/vulnerabilities/45171

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-09-16T23:00:00

Updated: 2024-08-07T09:45:18.935Z

Reserved: 2008-08-12T00:00:00

Link: CVE-2008-3611

Vulnrichment

No data.

NVD

Status : Modified

Published: 2008-09-16T23:00:01.133

Modified: 2024-11-21T00:49:40.377

Link: CVE-2008-3611

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-09-15T00:00:00", "descriptions": [{"lang": "en", "value": "Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "31189", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/31189"}, {"name": "APPLE-SA-2008-09-15", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"}, {"name": "TA08-260A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"}, {"name": "1020878", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1020878"}, {"name": "ADV-2008-2584", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2584"}, {"name": "31882", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31882"}, {"name": "macos-loginscreen-security-bypass(45171)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-3611", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "31189", "refsource": "BID", "url": "http://www.securityfocus.com/bid/31189"}, {"name": "APPLE-SA-2008-09-15", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"}, {"name": "TA08-260A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"}, {"name": "1020878", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1020878"}, {"name": "ADV-2008-2584", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2584"}, {"name": "31882", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31882"}, {"name": "macos-loginscreen-security-bypass(45171)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:45:18.935Z"}, "title": "CVE Program Container", "references": [{"name": "31189", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/31189"}, {"name": "APPLE-SA-2008-09-15", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"}, {"name": "TA08-260A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"}, {"name": "1020878", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1020878"}, {"name": "ADV-2008-2584", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2584"}, {"name": "31882", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31882"}, {"name": "macos-loginscreen-security-bypass(45171)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-3611", "datePublished": "2008-09-16T23:00:00", "dateReserved": "2008-08-12T00:00:00", "dateUpdated": "2024-08-07T09:45:18.935Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:10.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "6EE39585-CF3B-4493-96D8-B394544C7643", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "D09D5933-A7D9-4A61-B863-CD8E7D5E67D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen."}, {"lang": "es", "value": "La Ventana de Inicio de Sesi\u00f3n en Mac OS X versi\u00f3n 10.4.11 de Apple, no borra la contrase\u00f1a actual cuando un usuario realiza un intento de cambio de contrase\u00f1a que es negado por la pol\u00edtica, lo que permite a los atacantes oportunistas, f\u00edsicamente cercanos, omitir la autenticaci\u00f3n y cambiar la contrase\u00f1a de este usuario mediante un ingreso posterior a una nueva contrase\u00f1a aceptable en la misma pantalla de inicio de sesi\u00f3n."}], "id": "CVE-2008-3611", "lastModified": "2024-11-21T00:49:40.377", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.3, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-09-16T23:00:01.133", "references": [{"source": "cve@mitre.org", "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31882"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1020878"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/31189"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/2584"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31882"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1020878"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/31189"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/2584"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}