CVE-2015-9231

iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords by reading DNS queries. A new (default) feature was added to iTerm2 version 3.0.0 (and unreleased 2.9.x versions such as 2.9.20150717) that resulted in a potential information disclosure. In an attempt to see whether the text under the cursor (or selected text) was a URL, the text would be sent as an unencrypted DNS query. This has the potential to result in passwords and other sensitive information being sent in cleartext without the user being aware.

Published : 2017-09-20 20:29 Updated : 2017-10-05 17:54

5.0
CVSS Score More info
Score 5.0 / 10
5.0
Vendor Product Version URI
Iterm2 Iterm2 2.9.20160102 cpe:/a:iterm2:iterm2:2.9.20160102
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta9
Iterm2 Iterm2 2.9.20160523 cpe:/a:iterm2:iterm2:2.9.20160523
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta7
Iterm2 Iterm2 2.9.20160426 cpe:/a:iterm2:iterm2:2.9.20160426
Iterm2 Iterm2 2.9.20160206 cpe:/a:iterm2:iterm2:2.9.20160206
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta5
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta6
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta3
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta4
Iterm2 Iterm2 2.9.20160422 cpe:/a:iterm2:iterm2:2.9.20160422
Iterm2 Iterm2 3.0.20160531 cpe:/a:iterm2:iterm2:3.0.20160531
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta1
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta2
Iterm2 Iterm2 2.9.20151111 cpe:/a:iterm2:iterm2:2.9.20151111
Iterm2 Iterm2 3.0.9 cpe:/a:iterm2:iterm2:3.0.9
Iterm2 Iterm2 3.0.0 cpe:/a:iterm2:iterm2:3.0.0
Iterm2 Iterm2 2.9.20160113 cpe:/a:iterm2:iterm2:2.9.20160113
Iterm2 Iterm2 3.0.7 cpe:/a:iterm2:iterm2:3.0.7
Iterm2 Iterm2 3.0.6 cpe:/a:iterm2:iterm2:3.0.6
Iterm2 Iterm2 3.0.3 cpe:/a:iterm2:iterm2:3.0.3
Iterm2 Iterm2 3.0.14 cpe:/a:iterm2:iterm2:3.0.14
Iterm2 Iterm2 3.0.8 cpe:/a:iterm2:iterm2:3.0.8
Iterm2 Iterm2 3.0.15 cpe:/a:iterm2:iterm2:3.0.15
Iterm2 Iterm2 3.0.5 cpe:/a:iterm2:iterm2:3.0.5
Iterm2 Iterm2 3.0.12 cpe:/a:iterm2:iterm2:3.0.12
Iterm2 Iterm2 3.0.2 cpe:/a:iterm2:iterm2:3.0.2
Iterm2 Iterm2 3.0.13 cpe:/a:iterm2:iterm2:3.0.13
Iterm2 Iterm2 2.9.20160313 cpe:/a:iterm2:iterm2:2.9.20160313
Iterm2 Iterm2 3.0.10 cpe:/a:iterm2:iterm2:3.0.10
Iterm2 Iterm2 2.9.20160510 cpe:/a:iterm2:iterm2:2.9.20160510
Iterm2 Iterm2 3.0.4 cpe:/a:iterm2:iterm2:3.0.4
Iterm2 Iterm2 3.0.11 cpe:/a:iterm2:iterm2:3.0.11
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0
Iterm2 Iterm2 3.0.0 cpe:/a:iterm2:iterm2:3.0.0:preview
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta8
Iterm2 Iterm2 2.9.20151229 cpe:/a:iterm2:iterm2:2.9.20151229
Iterm2 Iterm2 3.0.1 cpe:/a:iterm2:iterm2:3.0.1:preview
Iterm2 Iterm2 3.1.0 cpe:/a:iterm2:iterm2:3.1.0:beta10
  1. Iterm2 (1) Search CVE
    1. Iterm2 (28) Search CVE
      1. 2.9.20160102
      2. 3.1.0
      3. 2.9.20160523
      4. 2.9.20160426
      5. 2.9.20160206
      6. 2.9.20160422
      7. 3.0.20160531
      8. 2.9.20151111
      9. 3.0.9
      10. 3.0.0
      11. 2.9.20160113
      12. 3.0.7
      13. 3.0.6
      14. 3.0.3
      15. 3.0.14
      16. 3.0.8
      17. 3.0.15
      18. 3.0.5
      19. 3.0.12
      20. 3.0.2
      21. 3.0.13
      22. 2.9.20160313
      23. 3.0.10
      24. 2.9.20160510
      25. 3.0.4
      26. 3.0.11
      27. 2.9.20151229
      28. 3.0.1

CWE

ID Name Description Links
CWE-200 Information Exposure An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. CVE

History of changes

Date Event
2017-10-05 18:30
2017-09-20 20:29

New CVE