CVE-2017-13872
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
29/11/2017
Last modified:
20/04/2025
Description
An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
Base Score 2.0
9.30
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:apple:mac_os_x:10.13.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:apple:mac_os_x:10.13.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.securityfocus.com/bid/101981
- http://www.securitytracker.com/id/1039875
- https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/
- https://github.com/rapid7/metasploit-framework/pull/9302
- https://objective-see.com/blog/blog_0x24.html
- https://support.apple.com/HT208315
- https://support.apple.com/HT208331
- https://www.exploit-db.com/exploits/43201/
- https://www.exploit-db.com/exploits/43248/
- https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/
- http://www.securityfocus.com/bid/101981
- http://www.securitytracker.com/id/1039875
- https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/
- https://github.com/rapid7/metasploit-framework/pull/9302
- https://objective-see.com/blog/blog_0x24.html
- https://support.apple.com/HT208315
- https://support.apple.com/HT208331
- https://www.exploit-db.com/exploits/43201/
- https://www.exploit-db.com/exploits/43248/
- https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/