Vulnerability Description
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Iphone Os | <= 7.1 |
| Apple | Mac Os X | 10.9 |
| Apple | Tvos | <= 6.1 |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0135.html
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0136.html
- https://secure-resumption.com/Exploit
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0135.html
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0136.html
- https://secure-resumption.com/Exploit
FAQ
What is CVE-2014-1295?
CVE-2014-1295 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as...
How severe is CVE-2014-1295?
CVE-2014-1295 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1295?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Iphone Os, Apple Mac Os X, Apple Tvos.