cnvd - cnvd-2025-02580

cnvd-2025-02580

Vulnerability from cnvd

Title: Apple多款产品权限问题漏洞

Description:

macOS是一套由苹果开发的运行于Macintosh系列电脑上的操作系统。‌iPhone OS是苹果公司为iPhone和iPod touch开发的操作系统‌。watchOS是苹果公司基于iOS系统开发的一套使用于Apple Watch的手表操作系统。iPadOS‌是苹果公司为iPad设备开发的移动端操作系统，它是基于iOS开发的，专门针对iPad进行优化。

Apple macOS、iPhone OS、watchOS及iPadOS‌存在权限问题漏洞，该漏洞源于应用程序可能访问敏感的用户数据。攻击者可利用该漏洞获取敏感信息。

Severity: 低

Patch Name: Apple多款产品权限问题漏洞的补丁

Patch Description:

Apple macOS、iPhone OS、watchOS及iPadOS‌存在权限问题漏洞，该漏洞源于应用程序可能访问敏感的用户数据。攻击者可利用该漏洞获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布补丁修复漏洞，请广大用户及时下载更新： https://support.apple.com/en-us/HT213988

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-42878

Impacted products

Name
['Apple MacOS 14.0', 'Apple iPhone OS <17.1', 'Apple watchOS <10.1', 'Apple Ipad Os <17.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-42878",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-42878"
    }
  },
  "description": "macOS\u662f\u4e00\u5957\u7531\u82f9\u679c\u5f00\u53d1\u7684\u8fd0\u884c\u4e8eMacintosh\u7cfb\u5217\u7535\u8111\u4e0a\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\u200ciPhone OS\u662f\u82f9\u679c\u516c\u53f8\u4e3aiPhone\u548ciPod touch\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u200c\u3002watchOS\u662f\u82f9\u679c\u516c\u53f8\u57fa\u4e8eiOS\u7cfb\u7edf\u5f00\u53d1\u7684\u4e00\u5957\u4f7f\u7528\u4e8eApple Watch\u7684\u624b\u8868\u64cd\u4f5c\u7cfb\u7edf\u3002iPadOS\u200c\u662f\u82f9\u679c\u516c\u53f8\u4e3aiPad\u8bbe\u5907\u5f00\u53d1\u7684\u79fb\u52a8\u7aef\u64cd\u4f5c\u7cfb\u7edf\uff0c\u5b83\u662f\u57fa\u4e8eiOS\u5f00\u53d1\u7684\uff0c\u4e13\u95e8\u9488\u5bf9iPad\u8fdb\u884c\u4f18\u5316\u3002\n\nApple macOS\u3001iPhone OS\u3001watchOS\u53caiPadOS\u200c\u5b58\u5728\u6743\u9650\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u53ef\u80fd\u8bbf\u95ee\u654f\u611f\u7684\u7528\u6237\u6570\u636e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u8865\u4e01\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u5e7f\u5927\u7528\u6237\u53ca\u65f6\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttps://support.apple.com/en-us/HT213988",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-02580",
  "openTime": "2025-02-06",
  "patchDescription": "macOS\u662f\u4e00\u5957\u7531\u82f9\u679c\u5f00\u53d1\u7684\u8fd0\u884c\u4e8eMacintosh\u7cfb\u5217\u7535\u8111\u4e0a\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\u200ciPhone OS\u662f\u82f9\u679c\u516c\u53f8\u4e3aiPhone\u548ciPod touch\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u200c\u3002watchOS\u662f\u82f9\u679c\u516c\u53f8\u57fa\u4e8eiOS\u7cfb\u7edf\u5f00\u53d1\u7684\u4e00\u5957\u4f7f\u7528\u4e8eApple Watch\u7684\u624b\u8868\u64cd\u4f5c\u7cfb\u7edf\u3002iPadOS\u200c\u662f\u82f9\u679c\u516c\u53f8\u4e3aiPad\u8bbe\u5907\u5f00\u53d1\u7684\u79fb\u52a8\u7aef\u64cd\u4f5c\u7cfb\u7edf\uff0c\u5b83\u662f\u57fa\u4e8eiOS\u5f00\u53d1\u7684\uff0c\u4e13\u95e8\u9488\u5bf9iPad\u8fdb\u884c\u4f18\u5316\u3002\r\n\r\nApple macOS\u3001iPhone OS\u3001watchOS\u53caiPadOS\u200c\u5b58\u5728\u6743\u9650\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u53ef\u80fd\u8bbf\u95ee\u654f\u611f\u7684\u7528\u6237\u6570\u636e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apple\u591a\u6b3e\u4ea7\u54c1\u6743\u9650\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apple MacOS 14.0",
      "Apple iPhone OS \u003c17.1",
      "Apple watchOS \u003c10.1",
      "Apple Ipad Os \u003c17.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-42878",
  "serverity": "\u4f4e",
  "submitTime": "2025-01-13",
  "title": "Apple\u591a\u6b3e\u4ea7\u54c1\u6743\u9650\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2023-42878 (GCVE-0-2023-42878)

Vulnerability from cvelistv5

Published

2024-02-21 06:41

Modified

2024-11-21 15:26

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

An app may be able to access sensitive user data

Summary

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data.

References

▼	URL	Tags
	https://support.apple.com/en-us/HT213984
	https://support.apple.com/en-us/HT213988
	https://support.apple.com/en-us/HT213982

Impacted products

Vendor

Product

Version

▼

Apple

macOS

Version: unspecified < 14.1

	Apple	watchOS	Version: unspecified < 10.1
	Apple	iOS and iPadOS	Version: unspecified < 17.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:30:25.078Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213984"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213988"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213982"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-42878",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-14T20:32:16.628017Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-922",
                "description": "CWE-922 Insecure Storage of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T15:26:15.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "macOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "14.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "watchOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "10.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "iOS and iPadOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "17.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "An app may be able to access sensitive user data",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-21T06:41:46.194Z",
        "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "shortName": "apple"
      },
      "references": [
        {
          "url": "https://support.apple.com/en-us/HT213984"
        },
        {
          "url": "https://support.apple.com/en-us/HT213988"
        },
        {
          "url": "https://support.apple.com/en-us/HT213982"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
    "assignerShortName": "apple",
    "cveId": "CVE-2023-42878",
    "datePublished": "2024-02-21T06:41:46.194Z",
    "dateReserved": "2023-09-14T19:05:11.454Z",
    "dateUpdated": "2024-11-21T15:26:15.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted