CVE-2013-3694 - OpenCVE

BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Mac Os X
Blackberry	Blackberry Link
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:blackberry:blackberry_link::::::::
	cpe:2.3:a:blackberry:blackberry_link:1.0.1.12:::::::*

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:blackberry:blackberry_link::::::::
	cpe:2.3:a:blackberry:blackberry_link:1.0.1.12:::::::*
	cpe:2.3:a:blackberry:blackberry_link:1.1.1.26:::::::*
	cpe:2.3:a:blackberry:blackberry_link:1.1.1.41:::::::*
	cpe:2.3:a:blackberry:blackberry_link:1.2.0.12:::::::*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://blog.cmpxchg8b.com/2013/11/qnx.html
http://www.blackberry.com/btsc/KB35315

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2013-11-16T02:00:00Z

Updated: 2024-09-17T02:31:42.310Z

Reserved: 2013-05-30T00:00:00Z

Link: CVE-2013-3694

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2013-11-18T03:55:05.603

Modified: 2013-11-19T18:50:14.940

Link: CVE-2013-3694

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-11-16T02:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://blog.cmpxchg8b.com/2013/11/qnx.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.blackberry.com/btsc/KB35315"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-3694", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://blog.cmpxchg8b.com/2013/11/qnx.html", "refsource": "MISC", "url": "http://blog.cmpxchg8b.com/2013/11/qnx.html"}, {"name": "http://www.blackberry.com/btsc/KB35315", "refsource": "CONFIRM", "url": "http://www.blackberry.com/btsc/KB35315"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:14:56.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.cmpxchg8b.com/2013/11/qnx.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.blackberry.com/btsc/KB35315"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-3694", "datePublished": "2013-11-16T02:00:00Z", "dateReserved": "2013-05-30T00:00:00Z", "dateUpdated": "2024-09-17T02:31:42.310Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:blackberry:blackberry_link:*:*:*:*:*:*:*:*", "matchCriteriaId": "C97597AD-B867-4271-9672-E01503D6D23B", "versionEndIncluding": "1.1.1.26", "vulnerable": true}, {"criteria": "cpe:2.3:a:blackberry:blackberry_link:1.0.1.12:*:*:*:*:*:*:*", "matchCriteriaId": "16D65A34-F674-4BB4-B70E-C324B0EE14DE", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FF5999A-9D12-4CDD-8DE9-A89C10B2D574", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:blackberry:blackberry_link:*:*:*:*:*:*:*:*", "matchCriteriaId": "13E01B51-0244-474A-B7DF-35443E13BD02", "versionEndIncluding": "1.2.0.28", "vulnerable": true}, {"criteria": "cpe:2.3:a:blackberry:blackberry_link:1.0.1.12:*:*:*:*:*:*:*", "matchCriteriaId": "16D65A34-F674-4BB4-B70E-C324B0EE14DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:blackberry:blackberry_link:1.1.1.26:*:*:*:*:*:*:*", "matchCriteriaId": "FC843B35-EC97-401C-8C2E-51BE62D45127", "vulnerable": true}, {"criteria": "cpe:2.3:a:blackberry:blackberry_link:1.1.1.41:*:*:*:*:*:*:*", "matchCriteriaId": "8E167DD9-E865-4556-985B-8C62DF6939A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:blackberry:blackberry_link:1.2.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "3D72AD0E-044A-45FE-89D2-F63C0E55E929", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding."}, {"lang": "es", "value": "BlackBerry Link anterior a la versi\u00f3n 1.2.1.31 en Windows y anterior a 1.1.1 build 39 en Mac OS X no requiere autenticaci\u00f3n para carpetas file-access remotas, lo que permite a atacantes remotos leer o crear archivos arbitrarios a trav\u00e9s de peticiones IPv6 WebDAV, tal y como se demostr\u00f3 mediante un ataque de CSRF que involucraba la reconsolidaci\u00f3n de DNS."}], "id": "CVE-2013-3694", "lastModified": "2013-11-19T18:50:14.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-11-18T03:55:05.603", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://blog.cmpxchg8b.com/2013/11/qnx.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.blackberry.com/btsc/KB35315"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}