CVE-2015-9231
Summary
| CVE | CVE-2015-9231 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-09-20 20:29:00 UTC |
| Updated | 2017-10-05 17:54:00 UTC |
| Description | iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords by reading DNS queries. A new (default) feature was added to iTerm2 version 3.0.0 (and unreleased 2.9.x versions such as 2.9.20150717) that resulted in a potential information disclosure. In an attempt to see whether the text under the cursor (or selected text) was a URL, the text would be sent as an unencrypted DNS query. This has the potential to result in passwords and other sensitive information being sent in cleartext without the user being aware. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Iterm2 | Iterm2 | 2.9.20151111 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20151229 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160102 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160113 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160206 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160313 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160422 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160426 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160510 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160523 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.0 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.0 | preview | All | All |
| Application | Iterm2 | Iterm2 | 3.0.1 | preview | All | All |
| Application | Iterm2 | Iterm2 | 3.0.10 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.11 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.12 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.13 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.14 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.15 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.2 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.20160531 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.3 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.4 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.5 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.6 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.7 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.8 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.9 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta1 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta10 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta2 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta3 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta4 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta5 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta6 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta7 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta8 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta9 | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20151111 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20151229 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160102 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160113 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160206 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160313 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160422 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160426 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160510 | All | All | All |
| Application | Iterm2 | Iterm2 | 2.9.20160523 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.0 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.0 | preview | All | All |
| Application | Iterm2 | Iterm2 | 3.0.1 | preview | All | All |
| Application | Iterm2 | Iterm2 | 3.0.10 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.11 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.12 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.13 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.14 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.15 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.2 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.20160531 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.3 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.4 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.5 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.6 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.7 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.8 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.0.9 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | All | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta1 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta10 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta2 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta3 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta4 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta5 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta6 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta7 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta8 | All | All |
| Application | Iterm2 | Iterm2 | 3.1.0 | beta9 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| undesirable domain lookup behavior (#5303) · Issues · George Nachman / iterm2 · GitLab | MISC | gitlab.com | Issue Tracking, Third Party Advisory |
| Dnslookupissue · Wiki · George Nachman / iterm2 · GitLab | MISC | gitlab.com | Third Party Advisory |
| Fist swipe at removing DNS code · gnachman/iTerm2@33ccaf6 · GitHub | MISC | github.com | Third Party Advisory |
| Post-mortem for DNS lookups issue (#6068) · Issues · George Nachman / iterm2 · GitLab | MISC | gitlab.com | Issue Tracking, Third Party Advisory |
| Smart selection is issuing dns requests (#3688) · Issues · George Nachman / iterm2 · GitLab | MISC | gitlab.com | Issue Tracking, Third Party Advisory |
| iTerm2: Please disable 'Perform DNS lookups to check if URLs are valid' | Hacker News | MISC | news.ycombinator.com | Issue Tracking, Third Party Advisory |
| Disable DNS lookups on hover by default. Issue 6050 · gnachman/iTerm2@e4eb106 · GitHub | MISC | github.com | Issue Tracking, Third Party Advisory |
| Please disable 'Perform DNS lookups to check if URLs are valid?' by default (#6050) · Issues · George Nachman / iterm2 · GitLab | MISC | gitlab.com | Exploit, Issue Tracking, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.