CVE-2014-1296

Name of the Vulnerable Software and Affected Versions CFNetwork in Apple iOS versions prior to 7.1.1 CFNetwork in Apple OS X versions prior to 10.9.2 CFNetwork in Apple TV versions prior to 6.1.1

Description The issue allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a Set-Cookie HTTP header. This is because the CFNetwork does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value. An example of such bypassed restriction is the HTTPOnly restriction.

Recommendations For Apple iOS versions prior to 7.1.1, update to version 7.1.1 or later to resolve the issue. For Apple OS X versions prior to 10.9.2, update to version 10.9.2 or later to resolve the issue. For Apple TV versions prior to 6.1.1, update to version 6.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources that rely on the Set-Cookie HTTP header for access control until a patch is applied.