var-202002-1190
Vulnerability from variot
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3, watchOS 6.1.2. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple Messages. User interaction is required to exploit this vulnerability in that the target must open the Messages application.The specific flaw exists within the HandwritingProvider module in the Messages application. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Both Apple watchOS and Apple macOS Catalina are products of Apple Inc. in the United States. Apple macOS Catalina is a dedicated operating system developed for Mac computers. A buffer error vulnerability exists in the AnnotationKit component in Apple watchOS versions prior to 6.1.2 and macOS Catalina versions prior to 10.15.3. CVE-2020-3877: an anonymous researcher working with Trend Micro's Zero Day Initiative
Audio Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-3857: Zhuo Liang of Qihoo 360 Vulcan Team
ImageIO Available for: Apple Watch Series 1 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-3870 CVE-2020-3878: Samuel Groß of Google Project Zero
IOAcceleratorFamily Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-3837: Brandon Azad of Google Project Zero
Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2020-3875: Brandon Azad of Google Project Zero
Kernel Available for: Apple Watch Series 1 and later Impact: A malicious application may be able to determine kernel memory layout Description: An access issue was addressed with improved memory management. CVE-2020-3836: Brandon Azad of Google Project Zero
Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to read restricted memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2020-3872: Haakon Garseg Mørk of Cognite and Cim Stordal of Cognite
Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-3842: Ned Williamson working with Google Project Zero
Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2020-3834: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc, Luyi Xing of Indiana University Bloomington
Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2020-3860: Proteas of Qihoo 360 Nirvan Team
Kernel Available for: Apple Watch Series 1 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A type confusion issue was addressed with improved memory handling. CVE-2020-3853: Brandon Azad of Google Project Zero
libxpc Available for: Apple Watch Series 1 and later Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory corruption issue was addressed with improved input validation. CVE-2020-3856: Ian Beer of Google Project Zero
libxpc Available for: Apple Watch Series 1 and later Impact: An application may be able to gain elevated privileges Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-3829: Ian Beer of Google Project Zero
wifivelocityd Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with system privileges Description: The issue was addressed with improved permissions logic. CVE-2020-3838: Dayton Pidhirney (@_watbulb)
Additional recognition
IOSurface We would like to acknowledge Liang Chen (@chenliang0817) for their assistance.
Installation note:
Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl4whoIACgkQBz4uGe3y 0M2stQ/+OuyWKYzmyoukbioqc52unZuM9BR/7DSPTXV3V2DZiOnbB9g/GjSXfZ6B MwgIrhKfXW3krfSQFgeQVeAeoZWSYNpp3+C+gmc1o1sJwuFOIljiLGLAZGYh18u+ /eLLKFPQEmTn7JxQyIltCmVba3RHK0/ejmM9Ixrxz7LfwDlYJAJpfUnv7othupHx 17VvkPb4FRIiwpi1XF3iqDAtm6KXe8PJth5HaLpvLFUFo+AqEIF1UdK6iB4Sn6GO Qm5xmuJHLZvz6Bbz211LcWmyR5qFtp/FsIDIR9kX8g1DnaUY4/7atF5CAwA4hiz5 dW+2hYwG7XLg2b0i+MMatEOrT90CAfb1gMK2WdAbPOfVkuCDAM4GAGI1EkCYPUhP /nxw9EVPlfSkxqcIRgw4dg3T3Sij29UAoh8R11I+Q4rkWZU6t8QDohZ8Nwo1W3DZ XCa5sRmoXw5oKgQTby+aDd2Bk5IeLWThOJy0sx42BlMAhynh008PJZmFIQLXwgiI 5Scf2BMc8SxO1TwuyTyOoOx3Y82PfFw1Pw7dgoNlXcMZa/nzSUEzg7zJhKr3JGs+ tusuHY5pFE5ATTVifBPREyPc79KhaLF4BjlH58VYaPw09jyC0cb8C61foGsR1BjT Ua+Wg313tcHsC4gUUFn9dtLzJcgx+7GlDglpAPGIxd7OOeotvD8= =ZxyW -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-1190",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.3"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.1.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.15.2"
},
{
"model": "watchos",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "6.1.2"
},
{
"model": "message",
"scope": null,
"trust": 0.7,
"vendor": "apple",
"version": null
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.10.1"
},
{
"model": "watchos",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "2.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.9.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.10.0"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.9.3"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.9.1"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.9.4"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.9.5"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.9"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.10.2"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:watchos",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Anonymous",
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-216"
}
],
"trust": 0.7
},
"cve": "CVE-2020-3877",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2020-3877",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-002297",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-182002",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2020-3877",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-002297",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2020-3877",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-3877",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-002297",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2020-3877",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202001-1441",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-182002",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "VULHUB",
"id": "VHN-182002"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3, watchOS 6.1.2. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple Messages. User interaction is required to exploit this vulnerability in that the target must open the Messages application.The specific flaw exists within the HandwritingProvider module in the Messages application. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Both Apple watchOS and Apple macOS Catalina are products of Apple Inc. in the United States. Apple macOS Catalina is a dedicated operating system developed for Mac computers. A buffer error vulnerability exists in the AnnotationKit component in Apple watchOS versions prior to 6.1.2 and macOS Catalina versions prior to 10.15.3. \nCVE-2020-3877: an anonymous researcher working with Trend Micro\u0027s\nZero Day Initiative\n\nAudio\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2020-3857: Zhuo Liang of Qihoo 360 Vulcan Team\n\nImageIO\nAvailable for: Apple Watch Series 1 and later\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: An out-of-bounds read was addressed with improved input\nvalidation. \nCVE-2020-3870\nCVE-2020-3878: Samuel Gro\u00df of Google Project Zero\n\nIOAcceleratorFamily\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2020-3837: Brandon Azad of Google Project Zero\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to read restricted memory\nDescription: A validation issue was addressed with improved input\nsanitization. \nCVE-2020-3875: Brandon Azad of Google Project Zero\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An access issue was addressed with improved memory\nmanagement. \nCVE-2020-3836: Brandon Azad of Google Project Zero\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to read restricted memory\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2020-3872: Haakon Garseg M\u00f8rk of Cognite and Cim Stordal of\nCognite\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2020-3842: Ned Williamson working with Google Project Zero\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2020-3834: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc,\nLuyi Xing of Indiana University Bloomington\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2020-3860: Proteas of Qihoo 360 Nirvan Team\n\nKernel\nAvailable for: Apple Watch Series 1 and later\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: A type confusion issue was addressed with improved\nmemory handling. \nCVE-2020-3853: Brandon Azad of Google Project Zero\n\nlibxpc\nAvailable for: Apple Watch Series 1 and later\nImpact: Processing a maliciously crafted string may lead to heap\ncorruption\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2020-3856: Ian Beer of Google Project Zero\n\nlibxpc\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to gain elevated privileges\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2020-3829: Ian Beer of Google Project Zero\n\nwifivelocityd\nAvailable for: Apple Watch Series 1 and later\nImpact: An application may be able to execute arbitrary code with\nsystem privileges\nDescription: The issue was addressed with improved permissions logic. \nCVE-2020-3838: Dayton Pidhirney (@_watbulb)\n\nAdditional recognition\n\nIOSurface\nWe would like to acknowledge Liang Chen (@chenliang0817) for their\nassistance. \n\nInstallation note:\n\nInstructions on how to update your Apple Watch software are\navailable at https://support.apple.com/kb/HT204641\n\nTo check the version on your Apple Watch, open the Apple Watch app\non your iPhone and select \"My Watch \u003e General \u003e About\". \n\nAlternatively, on your watch, select \"My Watch \u003e General \u003e About\". \n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl4whoIACgkQBz4uGe3y\n0M2stQ/+OuyWKYzmyoukbioqc52unZuM9BR/7DSPTXV3V2DZiOnbB9g/GjSXfZ6B\nMwgIrhKfXW3krfSQFgeQVeAeoZWSYNpp3+C+gmc1o1sJwuFOIljiLGLAZGYh18u+\n/eLLKFPQEmTn7JxQyIltCmVba3RHK0/ejmM9Ixrxz7LfwDlYJAJpfUnv7othupHx\n17VvkPb4FRIiwpi1XF3iqDAtm6KXe8PJth5HaLpvLFUFo+AqEIF1UdK6iB4Sn6GO\nQm5xmuJHLZvz6Bbz211LcWmyR5qFtp/FsIDIR9kX8g1DnaUY4/7atF5CAwA4hiz5\ndW+2hYwG7XLg2b0i+MMatEOrT90CAfb1gMK2WdAbPOfVkuCDAM4GAGI1EkCYPUhP\n/nxw9EVPlfSkxqcIRgw4dg3T3Sij29UAoh8R11I+Q4rkWZU6t8QDohZ8Nwo1W3DZ\nXCa5sRmoXw5oKgQTby+aDd2Bk5IeLWThOJy0sx42BlMAhynh008PJZmFIQLXwgiI\n5Scf2BMc8SxO1TwuyTyOoOx3Y82PfFw1Pw7dgoNlXcMZa/nzSUEzg7zJhKr3JGs+\ntusuHY5pFE5ATTVifBPREyPc79KhaLF4BjlH58VYaPw09jyC0cb8C61foGsR1BjT\nUa+Wg313tcHsC4gUUFn9dtLzJcgx+7GlDglpAPGIxd7OOeotvD8=\n=ZxyW\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-3877"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "VULHUB",
"id": "VHN-182002"
},
{
"db": "PACKETSTORM",
"id": "156129"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-3877",
"trust": 3.3
},
{
"db": "ZDI",
"id": "ZDI-20-216",
"trust": 1.3
},
{
"db": "JVN",
"id": "JVNVU95678717",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-9383",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "156129",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.0354",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-04830",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-182002",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "VULHUB",
"id": "VHN-182002"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "PACKETSTORM",
"id": "156129"
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"id": "VAR-202002-1190",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-182002"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:05:20.111000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT210919",
"trust": 1.5,
"url": "https://support.apple.com/en-us/HT210919"
},
{
"title": "HT210921",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT210921"
},
{
"title": "HT210921",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT210921"
},
{
"title": "HT210919",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT210919"
},
{
"title": "Apple watchOS and macOS Catalina AnnotationKit Fix for component buffer error vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109534"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-182002"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://support.apple.com/ht210919"
},
{
"trust": 1.7,
"url": "https://support.apple.com/ht210921"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3877"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3877"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu95678717/"
},
{
"trust": 0.7,
"url": "https://support.apple.com/en-us/ht210919"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht210921"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0354/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apple-macos-multiple-vulnerabilities-31449"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/156129/apple-security-advisory-2020-1-28-3.html"
},
{
"trust": 0.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-216/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3842"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3837"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3853"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3875"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3857"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht204641"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3870"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3838"
},
{
"trust": 0.1,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3878"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3834"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3836"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3856"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3872"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3860"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3829"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "VULHUB",
"id": "VHN-182002"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "PACKETSTORM",
"id": "156129"
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"db": "VULHUB",
"id": "VHN-182002"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"db": "PACKETSTORM",
"id": "156129"
},
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-02-11T00:00:00",
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"date": "2020-02-27T00:00:00",
"db": "VULHUB",
"id": "VHN-182002"
},
{
"date": "2020-03-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"date": "2020-01-29T17:17:18",
"db": "PACKETSTORM",
"id": "156129"
},
{
"date": "2020-01-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"date": "2020-02-27T21:15:18.787000",
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-02-11T00:00:00",
"db": "ZDI",
"id": "ZDI-20-216"
},
{
"date": "2020-03-02T00:00:00",
"db": "VULHUB",
"id": "VHN-182002"
},
{
"date": "2020-03-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-002297"
},
{
"date": "2020-03-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202001-1441"
},
{
"date": "2024-11-21T05:31:52.947000",
"db": "NVD",
"id": "CVE-2020-3877"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "macOS Catalina and watchOS Out-of-bounds read vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-002297"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202001-1441"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.