VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2014· Updated May 6, 2026

CVE-2014-4383

CVE-2014-4383

Description

The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A man-in-the-middle attacker can spoof the update status of iOS 8 or Apple TV 7 devices by sending a crafted Last-Modified HTTP response header.

Vulnerability

The Assets subsystem in Apple iOS before version 8 and Apple TV before version 7 contains a vulnerability where a man-in-the-middle attacker can spoof a device's update status [1][2]. The attacker achieves this by sending a crafted Last-Modified HTTP response header during the update-check process. Affected versions include iOS prior to 8 and Apple TV prior to 7.

Exploitation

An attacker must be in a position to intercept and modify HTTP traffic between the device and Apple's update servers (i.e., man-in-the-middle). No authentication or user interaction is required beyond the device performing a normal update check. By crafting the Last-Modified header in the HTTP response, the attacker can deceive the device about the availability or freshness of updates.

Impact

Successful exploitation allows the attacker to spoof the device's update status. The attacker can make the device believe an update is either unavailable or already current, potentially preventing the installation of security patches. This compromises the integrity of the update process and can leave the device in an outdated, vulnerable state.

Mitigation

Apple fixed this issue in iOS 8 and Apple TV 7. Users should upgrade their devices to these versions or later. No workarounds are documented in the available references [1][2].

References
  1. About the security content of iOS 8 - Apple Support
  2. About the security content of Apple TV 7 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

19
  • Apple Inc./Iphone Os10 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.1.2
    • cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*
  • Apple Inc./tvOS7 versions
    cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*range: <=6.2
    • cpe:2.3:o:apple:tvos:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.1.2:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <8
  • Apple Inc./Apple TVllm-fuzzy
    Range: <7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.