CVE-2011-0228

Published: Aug 29, 2011Modified: Apr 29, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.

Affected (38)

Products: Apple: Iphone Os

1 product

Configuration A

33 vulnerable

Vulnerable Software	Affected Versions
Apple Iphone Os	Up to 4.2.9
Apple Iphone Os	Version 1.0.0
Apple Iphone Os	Version 1.0.1
Apple Iphone Os	Version 1.0.2
Apple Iphone Os	Version 1.1.0
Apple Iphone Os	Version 1.1.1
Apple Iphone Os	Version 1.1.2
Apple Iphone Os	Version 1.1.3
Apple Iphone Os	Version 1.1.4
Apple Iphone Os	Version 1.1.5
Apple Iphone Os	Version 2.0.0
Apple Iphone Os	Version 2.0.1
Apple Iphone Os	Version 2.0.2
Apple Iphone Os	Version 2.0
Apple Iphone Os	Version 2.1.1
Apple Iphone Os	Version 2.1
Apple Iphone Os	Version 2.2.1
Apple Iphone Os	Version 2.2
Apple Iphone Os	Version 3.0.1
Apple Iphone Os	Version 3.0
Apple Iphone Os	Version 3.1.2
Apple Iphone Os	Version 3.1.3
Apple Iphone Os	Version 3.1
Apple Iphone Os	Version 3.2.1
Apple Iphone Os	Version 3.2.2
Apple Iphone Os	Version 3.2
Apple Iphone Os	Version 4.0.1
Apple Iphone Os	Version 4.0.2
Apple Iphone Os	Version 4.0
Apple Iphone Os	Version 4.1
Apple Iphone Os	Version 4.2.1
Apple Iphone Os	Version 4.2.5
Apple Iphone Os	Version 4.2.8

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Apple Iphone Os	Version 4.3.0
Apple Iphone Os	Version 4.3.1
Apple Iphone Os	Version 4.3.2
Apple Iphone Os	Version 4.3.3
Apple Iphone Os	Version 4.3.4

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (20)

http://lists.apple.com/archives/security-announce/2011//Jul/msg00004.html

Source: product-security@apple.com

Vendor Advisory

http://lists.apple.com/archives/security-announce/2011//Jul/msg00005.html

Source: product-security@apple.com

Vendor Advisory

http://secunia.com/advisories/45369

Source: product-security@apple.com

Vendor Advisory

http://securityreason.com/securityalert/8361

Source: product-security@apple.com

http://securitytracker.com/id?1025837

Source: product-security@apple.com

http://support.apple.com/kb/HT4824

Source: product-security@apple.com

http://support.apple.com/kb/HT4825

Source: product-security@apple.com

Vendor Advisory

http://www.securityfocus.com/archive/1/518982/100/0/threaded

Source: product-security@apple.com

http://www.securityfocus.com/bid/48877

Source: product-security@apple.com

https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt

Source: product-security@apple.com

http://lists.apple.com/archives/security-announce/2011//Jul/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://lists.apple.com/archives/security-announce/2011//Jul/msg00005.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/45369

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://securityreason.com/securityalert/8361

Source: af854a3a-2127-422b-91ae-364da2661108

http://securitytracker.com/id?1025837

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.apple.com/kb/HT4824

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.apple.com/kb/HT4825

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/archive/1/518982/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/48877

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.