The issue was addressed with improved bounds checks. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3. An app may be able to execute arbitrary code with kernel privileges.
{"nessus": [{"lastseen": "2023-03-27T03:39:36", "description": "The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.6.3. It is, therefore, affected by multiple vulnerabilities:\n\n - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. (CVE-2022-32221)\n\n - A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13. An app may be able to execute arbitrary code with kernel privileges. (CVE-2022-32915)\n\n - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses.\n Effectively allowing asister site to deny service to all siblings. (CVE-2022-35252)\n\n - curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial- of-service. (CVE-2022-35260)\n\n - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non- HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. (CVE-2022-42915)\n\n - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.).\n The earliest affected version is 7.77.0 2021-05-26. (CVE-2022-42916)\n\nNote that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-23T00:00:00", "type": "nessus", "title": "macOS 12.x < 12.6.3 Multiple Vulnerabilities (HT213604)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-32221", "CVE-2022-32915", "CVE-2022-35252", "CVE-2022-35260", "CVE-2022-42915", "CVE-2022-42916", "CVE-2023-23493", "CVE-2023-23497", "CVE-2023-23499", "CVE-2023-23502", "CVE-2023-23504", "CVE-2023-23505", "CVE-2023-23507", "CVE-2023-23508", "CVE-2023-23511", "CVE-2023-23513", "CVE-2023-23517", "CVE-2023-23518"], "modified": "2023-02-16T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213604.NASL", "href": "https://www.tenable.com/plugins/nessus/170432", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170432);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/16\");\n\n script_cve_id(\n \"CVE-2022-32221\",\n \"CVE-2022-32915\",\n \"CVE-2022-35252\",\n \"CVE-2022-35260\",\n \"CVE-2022-42915\",\n \"CVE-2022-42916\",\n \"CVE-2023-23493\",\n \"CVE-2023-23497\",\n \"CVE-2023-23499\",\n \"CVE-2023-23502\",\n \"CVE-2023-23504\",\n \"CVE-2023-23505\",\n \"CVE-2023-23507\",\n \"CVE-2023-23508\",\n \"CVE-2023-23511\",\n \"CVE-2023-23513\",\n \"CVE-2023-23517\",\n \"CVE-2023-23518\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT213604\");\n script_xref(name:\"IAVA\", value:\"2023-A-0054-S\");\n\n script_name(english:\"macOS 12.x < 12.6.3 Multiple Vulnerabilities (HT213604)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.6.3. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to\n ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle\n previously was used to issue a `PUT` request which used that callback. This flaw may surprise the\n application and cause it to misbehave and either send off the wrong data or use memory after free or\n similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is\n changed from a PUT to a POST. (CVE-2022-32221)\n\n - A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13. An app\n may be able to execute arbitrary code with kernel privileges. (CVE-2022-32915)\n\n - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control\n codes that when later are sent back to a HTTPserver might make the server return 400 responses.\n Effectively allowing asister site to deny service to all siblings. (CVE-2022-35252)\n\n - curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095\n consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based\n buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a\n segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide\n a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-\n of-service. (CVE-2022-35260)\n\n - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-\n HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and\n then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often\n only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200\n status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in\n curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap,\n ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. (CVE-2022-42915)\n\n - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS\n support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step)\n even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL\n uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using\n the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.).\n The earliest affected version is 7.77.0 2021-05-26. (CVE-2022-42916)\n\nNote that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213604\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 12.6.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-42915\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '12.6.3', 'min_version' : '12.0', 'fixed_display' : 'macOS Monterey 12.6.3' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-27T11:11:37", "description": "The remote host is running a version of macOS / Mac OS X that is 13.x prior to 13.2. It is, therefore, affected by multiple vulnerabilities:\n\n - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. (CVE-2022-32221)\n\n - curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial- of-service. (CVE-2022-35260)\n\n - A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324. (CVE-2022-3705)\n\n - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non- HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. (CVE-2022-42915)\n\n - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.).\n The earliest affected version is 7.77.0 2021-05-26. (CVE-2022-42916)\n\nNote that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-24T00:00:00", "type": "nessus", "title": "macOS 13.x < 13.2 Multiple Vulnerabilities (HT213605)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-32221", "CVE-2022-35260", "CVE-2022-3705", "CVE-2022-42915", "CVE-2022-42916", "CVE-2023-23493", "CVE-2023-23496", "CVE-2023-23497", "CVE-2023-23498", "CVE-2023-23499", "CVE-2023-23500", "CVE-2023-23501", "CVE-2023-23502", "CVE-2023-23503", "CVE-2023-23504", "CVE-2023-23505", "CVE-2023-23506", "CVE-2023-23507", "CVE-2023-23508", "CVE-2023-23510", "CVE-2023-23511", "CVE-2023-23512", "CVE-2023-23513", "CVE-2023-23517", "CVE-2023-23518", "CVE-2023-23519"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213605.NASL", "href": "https://www.tenable.com/plugins/nessus/170445", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170445);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2022-32221\",\n \"CVE-2022-35260\",\n \"CVE-2022-3705\",\n \"CVE-2022-42915\",\n \"CVE-2022-42916\",\n \"CVE-2023-23493\",\n \"CVE-2023-23496\",\n \"CVE-2023-23497\",\n \"CVE-2023-23498\",\n \"CVE-2023-23499\",\n \"CVE-2023-23500\",\n \"CVE-2023-23501\",\n \"CVE-2023-23502\",\n \"CVE-2023-23503\",\n \"CVE-2023-23504\",\n \"CVE-2023-23505\",\n \"CVE-2023-23506\",\n \"CVE-2023-23507\",\n \"CVE-2023-23508\",\n \"CVE-2023-23510\",\n \"CVE-2023-23511\",\n \"CVE-2023-23512\",\n \"CVE-2023-23513\",\n \"CVE-2023-23517\",\n \"CVE-2023-23518\",\n \"CVE-2023-23519\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT213605\");\n script_xref(name:\"IAVA\", value:\"2023-A-0054-S\");\n script_xref(name:\"IAVB\", value:\"2023-B-0016-S\");\n\n script_name(english:\"macOS 13.x < 13.2 Multiple Vulnerabilities (HT213605)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 13.x prior to 13.2. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to\n ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle\n previously was used to issue a `PUT` request which used that callback. This flaw may surprise the\n application and cause it to misbehave and either send off the wrong data or use memory after free or\n similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is\n changed from a PUT to a POST. (CVE-2022-32221)\n\n - curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095\n consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based\n buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a\n segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide\n a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-\n of-service. (CVE-2022-35260)\n\n - A vulnerability was found in vim and classified as problematic. Affected by this issue is the function\n qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use\n after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this\n issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the\n affected component. The identifier of this vulnerability is VDB-212324. (CVE-2022-3705)\n\n - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-\n HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and\n then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often\n only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200\n status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in\n curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap,\n ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. (CVE-2022-42915)\n\n - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS\n support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step)\n even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL\n uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using\n the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.).\n The earliest affected version is 7.77.0 2021-05-26. (CVE-2022-42916)\n\nNote that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213605\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 13.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-42915\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '13.2.0', 'min_version' : '13.0', 'fixed_display' : 'macOS Ventura 13.2' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "apple": [{"lastseen": "2023-01-23T22:01:35", "description": "# About the security content of macOS Monterey 12.6.3\n\nThis document describes the security content of macOS Monterey 12.6.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Monterey 12.6.3\n\nReleased January 23, 2023\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to access user-sensitive data\n\nDescription: This issue was addressed by enabling hardened runtime.\n\nCVE-2023-23499: Wojciech Regu\u0142a (@_r3ggi) of SecuRing (wojciechregula.blog)\n\n**curl**\n\nAvailable for: macOS Monterey\n\nImpact: Multiple issues in curl\n\nDescription: Multiple issues were addressed by updating to curl version 7.86.0.\n\nCVE-2022-42915\n\nCVE-2022-42916\n\nCVE-2022-32221\n\nCVE-2022-35260\n\n**curl**\n\nAvailable for: macOS Monterey\n\nImpact: Multiple issues in curl\n\nDescription: Multiple issues were addressed by updating to curl version 7.85.0.\n\nCVE-2022-35252\n\n**dcerpc**\n\nAvailable for: macOS Monterey\n\nImpact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco Talos\n\n**DiskArbitration**\n\nAvailable for: macOS Monterey\n\nImpact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)\n\n**DriverKit**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved checks.\n\nCVE-2022-32915: Tommy Muir (@Muirey03)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved bounds checks.\n\nCVE-2023-23507: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23504: Adam Doup\u00e9 of ASU SEFCOM\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg)\n\n**PackageKit**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2023-23497: Mickey Jin (@patch1t)\n\n**Screen Time**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to access information about a user\u2019s contacts\n\nDescription: A privacy issue was addressed with improved private data redaction for log entries.\n\nCVE-2023-23505: Wojciech Regula of SecuRing (wojciechregula.blog)\n\n**Weather**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to bypass Privacy preferences\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: The issue was addressed with improved memory handling.\n\nWebKit Bugzilla: 248268 \nCVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE\n\nWebKit Bugzilla: 248268 \nCVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE\n\n**Windows Installer**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to bypass Privacy preferences\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23508: Mickey Jin (@patch1t)\n\n\n\n## Additional recognition\n\n**Kernel**\n\nWe would like to acknowledge Nick Stenning of Replicate for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: January 23, 2023\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-23T00:00:00", "type": "apple", "title": "About the security content of macOS Monterey 12.6.3", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-32221", "CVE-2022-32915", "CVE-2022-35252", "CVE-2022-35260", "CVE-2022-42915", "CVE-2022-42916", "CVE-2023-23493", "CVE-2023-23497", "CVE-2023-23499", "CVE-2023-23502", "CVE-2023-23504", "CVE-2023-23505", "CVE-2023-23507", "CVE-2023-23508", "CVE-2023-23511", "CVE-2023-23513", "CVE-2023-23517", "CVE-2023-23518"], "modified": "2023-01-23T00:00:00", "id": "APPLE:ABF94EE807D2F29324D449E6A7A7132A", "href": "https://support.apple.com/kb/HT213604", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-23T22:02:33", "description": "# About the security content of macOS Ventura 13.2\n\nThis document describes the security content of macOS Ventura 13.2.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Ventura 13.2\n\nReleased January 23, 2023\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to access user-sensitive data\n\nDescription: This issue was addressed by enabling hardened runtime.\n\nCVE-2023-23499: Wojciech Regu\u0142a (@_r3ggi) of SecuRing (wojciechregula.blog)\n\n**Crash Reporter**\n\nAvailable for: macOS Ventura\n\nImpact: A user may be able to read arbitrary files as root\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2023-23520: Cees Elzinga\n\nEntry added February 20, 2023\n\n**curl**\n\nAvailable for: macOS Ventura\n\nImpact: Multiple issues in curl\n\nDescription: Multiple issues were addressed by updating to curl version 7.86.0.\n\nCVE-2022-42915\n\nCVE-2022-42916\n\nCVE-2022-32221\n\nCVE-2022-35260\n\n**dcerpc**\n\nAvailable for: macOS Ventura\n\nImpact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco Talos\n\n**DiskArbitration**\n\nAvailable for: macOS Ventura\n\nImpact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)\n\n**Foundation**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC\n\nEntry added February 20, 2023\n\n**Foundation**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC\n\nEntry added February 20, 2023\n\n**ImageIO**\n\nAvailable for: macOS Ventura\n\nImpact: Processing an image may lead to a denial-of-service\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2023-23519: Yi\u011fit Can YILMAZ (@yilmazcanyigit)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved bounds checks.\n\nCVE-2023-23507: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to leak sensitive kernel state\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg)\n\n**Kernel**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg)\n\n**Kernel**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23504: Adam Doup\u00e9 of ASU SEFCOM\n\n**libxpc**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to access user-sensitive data\n\nDescription: A permissions issue was addressed with improved validation.\n\nCVE-2023-23506: Guilherme Rambo of Best Buddy Apps (rambo.codes)\n\n**Mail Drafts**\n\nAvailable for: macOS Ventura\n\nImpact: The quoted original message may be selected from the wrong email when forwarding an email from an Exchange account\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2023-23498: an anonymous researcher\n\n**Maps**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to bypass Privacy preferences\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2023-23503: an anonymous researcher\n\n**PackageKit**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2023-23497: Mickey Jin (@patch1t)\n\n**Safari**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to access a user\u2019s Safari history\n\nDescription: A permissions issue was addressed with improved validation.\n\nCVE-2023-23510: Guilherme Rambo of Best Buddy Apps (rambo.codes)\n\n**Safari**\n\nAvailable for: macOS Ventura\n\nImpact: Visiting a website may lead to an app denial-of-service\n\nDescription: The issue was addressed with improved handling of caches.\n\nCVE-2023-23512: Adriatik Raci\n\n**Screen Time**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to access information about a user\u2019s contacts\n\nDescription: A privacy issue was addressed with improved private data redaction for log entries.\n\nCVE-2023-23505: Wojciech Regu\u0142a of SecuRing (wojciechregula.blog)\n\n**Vim**\n\nAvailable for: macOS Ventura\n\nImpact: Multiple issues in Vim\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-3705\n\n**Weather**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to bypass Privacy preferences\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher\n\n**WebKit**\n\nAvailable for: macOS Ventura\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: The issue was addressed with improved checks.\n\nWebKit Bugzilla: 245464 \nCVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming Wang, JiKai Ren and Hang Shu of Institute of Computing Technology, Chinese Academy of Sciences\n\n**WebKit**\n\nAvailable for: macOS Ventura\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: The issue was addressed with improved memory handling.\n\nWebKit Bugzilla: 248268 \nCVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE\n\nWebKit Bugzilla: 248268 \nCVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE\n\n**Wi-Fi**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to disclose kernel memory.\n\nDescription: The issue was addressed with improved memory handling\n\nCVE-2023-23501: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg)\n\n**Windows Installer**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to bypass Privacy preferences.\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2023-23508: Mickey Jin (@patch1t)\n\n\n\n## Additional recognition\n\n**Bluetooth**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\n**Kernel**\n\nWe would like to acknowledge Nick Stenning of Replicate for their assistance.\n\n**Shortcuts**\n\nWe would like to acknowledge Baibhav Anand Jha from ReconWithMe and Cristian Dinca of Tudor Vianu National High School of Computer Science, Romania for their assistance.\n\n**WebKit**\n\nWe would like to acknowledge Eliya Stein of Confiant for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: February 23, 2023\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-23T00:00:00", "type": "apple", "title": "About the security content of macOS Ventura 13.2", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-32221", "CVE-2022-35260", "CVE-2022-3705", "CVE-2022-42915", "CVE-2022-42916", "CVE-2023-23493", "CVE-2023-23496", "CVE-2023-23497", "CVE-2023-23498", "CVE-2023-23499", "CVE-2023-23500", "CVE-2023-23501", "CVE-2023-23502", "CVE-2023-23503", "CVE-2023-23504", "CVE-2023-23505", "CVE-2023-23506", "CVE-2023-23507", "CVE-2023-23508", "CVE-2023-23510", "CVE-2023-23511", "CVE-2023-23512", "CVE-2023-23513", "CVE-2023-23517", "CVE-2023-23518", "CVE-2023-23519", "CVE-2023-23520", "CVE-2023-23530", "CVE-2023-23531"], "modified": "2023-01-23T00:00:00", "id": "APPLE:08DE176B86DAA09F8266D63196603C37", "href": "https://support.apple.com/kb/HT213605", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2023-23507
