search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Macintosh OS X fails to properly mount WebDAV filesystems

Vulnerability Note VU#474969

Original Release Date: 2007-04-20 | Last Revised: 2007-04-20


A vulnerability in the way that Apple Macintosh OS X mounts WebDAV filesystems could allow a local attacker to execute commands with elevated privileges.


Web-based Distributed Authoring and Versioning (WebDAV) is a set of extensions to the HTTP protocol which allows collaborative editing and management of web resources on remote servers. Apple Macintosh OS X contains a vulnerability that could be exploited when it attempts to mount WebDAV filesystems that may allow a local attacker to execute commands with elevated privileges. According to Apple Security Update 2007-004:

When mounting a WebDAV filesystem, the load_webdav program may be launched without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands.


A local attacker may be able to execute commands with elevated privileges.


Apply Updates from Apple

Apple has addressed this vulnerability with the updates included in Apple Security Update 2007-004.

Vendor Information


Apple Computer, Inc. Affected

Updated:  April 20, 2007



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Refer to Apple Security Update 2007-004.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported in Apple Security Update 2007-004.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2007-0747
Severity Metric: 3.65
Date Public: 2007-04-19
Date First Published: 2007-04-20
Date Last Updated: 2007-04-20 16:17 UTC
Document Revision: 19

Sponsored by CISA.