CVE-2004-2687
CVE-2004-2687 is a critical-severity vulnerability in Apple Xcode with a CVSS 2.0 base score of 9.3. Its EPSS exploit-prediction score of 81% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-16.
Key facts
- Severity: Critical (CVSS 2.0 base score 9.3)
- EPSS exploit prediction: 81% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-16
- Affected product: Apple Xcode
- Published:
- Last modified:
Description
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Frequently asked questions
- What is CVE-2004-2687?
- distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
- How severe is CVE-2004-2687?
- CVE-2004-2687 has a CVSS 2.0 base score of 9.3, rated critical severity.
- Is CVE-2004-2687 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 81% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2004-2687?
- CVE-2004-2687 primarily affects Apple Xcode. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2004-2687?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2004-2687 published?
- CVE-2004-2687 was published on 2004-12-31 and last updated on 2026-06-16.
References
- http://archives.neohapsis.com/archives/bugtraq/2005-03/0183.html
- http://distcc.samba.org/security.html
- http://lists.samba.org/archive/distcc/2004q3/002550.html
- http://lists.samba.org/archive/distcc/2004q3/002562.html
- http://www.metasploit.org/projects/Framework/exploits.html#distcc_exec
- http://www.osvdb.org/13378
Affected products (2)
- cpe:2.3:a:apple:xcode:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
More vulnerabilities in Apple Xcode
- CVE-2021-44228 — Critical (CVSS 10.0): Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in…
- CVE-2014-9390 — Critical (CVSS 9.8): Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and…
- CVE-2019-14379 — Critical (CVSS 9.8): SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used…
- CVE-2018-4164 — Critical (CVSS 9.8): An issue was discovered in certain Apple products. Xcode before 9.3 is affected. The issue, which is unspecified,…
- CVE-2016-0746 — Critical (CVSS 9.8): Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote…
- CVE-2025-43505 — High (CVSS 8.8): An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Xcode 26.1.…
All CVEs affecting Apple Xcode →
Other CWE-16 vulnerabilities
- CVE-2013-4316 — Critical (CVSS 10.0): Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack…
- CVE-2013-1221 — Critical (CVSS 10.0): The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not…
- CVE-2011-4501 — Critical (CVSS 10.0): The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg,…
- CVE-2010-4586 — Critical (CVSS 10.0): The default configuration of Opera before 11.00 enables WebSockets functionality, which has unspecified impact and…
- CVE-2010-2977 — Critical (CVSS 10.0): Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 does not properly implement TLS and SSL, which has…
- CVE-2010-2276 — Critical (CVSS 10.0): The default configuration of the build process in Dojo 0.4.x before 0.4.4, 1.0.x before 1.0.3, 1.1.x before 1.1.2,…