CVE-2017-2387

4.8MEDIUM

Key Information:

Vendor: Apple
Status: Apple Music Before 2.0 For Android
Vendor: CVE Published:; 7 April 2017

Summary

The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Affected Version(s)

Apple Music before 2.0 for Android Apple Music before 2.0 for Android

References

https://support.apple.com/HT207605

x_refsource_CONFIRM

http://www.info-sec.ca/advisories/Apple-Music.html

x_refsource_MISC

http://www.securityfocus.com/bid/97390

vdb-entryx_refsource_BID

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 7, 2017
Vulnerability Reserved
Dec 1, 2016

.