CVE-2011-0199

Description

The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected products

Apple / mac_os_x10.6.0 – 10.6.8
Apple / mac_os_x_server10.6.0 – 10.6.8

References

VENDOR_ADVISORYhttp://support.apple.com/kb/HT4723
MAILING_LISThttp://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
MISChttp://www.securityfocus.com/bid/48447