ID

VAR-201912-0120


CVE

CVE-2019-8806


TITLE

apple's  Xcode  Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-016919

DESCRIPTION

A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution. apple's Xcode Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. LLVM (Low Level Virtual Machine) is a framework system of a framework compiler (compiler) developed by the LLVM team. A security vulnerability exists in LLVM components in versions of Apple Xcode prior to 11.2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-11-01-1 Xcode 11.2 Xcode 11.2 addresses the following: llvm Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8800: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8806: Pan ZhenPeng of Qihoo 360 Nirvan Team Installation note: Xcode 11.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl27tlwACgkQBz4uGe3y 0M3xfA/6Ar1hsMVC9/i7vbHnKFv1nSo5k3dgl3t6UepPM2HW7YR9ngxKXW6r95DB hH9TELVnvluC15EfXbsB+OhcgIxCc8EJYvAs4Y+n34VL/A03WyIDaYB7/TO8NLaL Wh5O7/unhEijj+HhTiveS6x7Fimyw7WzVmLJvIoAN8EBXtvfWTA/VywAgHuX/aVB 2fdMOHDsVUI3a8SBzTSiHs6BM27TCoKx+FI3Ad+yABmxj+SykCfDcFOtxsyFhiBh m6fIPweMxXtKc3tZPQYLtu05UPoBlOclNiAbBt5I7jdd9uNekjLQFaMf+D+gGGZI BIILI1dCg+dQeDKPeMJsdSpcMqqyUvGfTzYW7JNQsGM1LFvS+8e7SLoCKJuIgosK dMkuK/kg05vOGgq6qFyGn/vDDXqoVpbFq+HN6tNU5i0ni8Y5vuE8ecttUJA6XTiA fF7U6AeSxQov5HS9RW8UzyCUktpPtiRuUYr3QWRpEoPsuWiPqvEprHe0FS+tJh3h Zkz42DV8gD5gogakX1oJpX+CTZa725WusiuFs0bdCkougssrGYaRnMe+YL7/Z6ej pAvNOGe4GesS0COGxkXgFK0w6VIC+SGVNdXkCudaYS+C4rklclVmXulKTavldUos D7ebNEuHgE2/H66H0A1zZf4YDP4KqVb/j2T15wiA4uYiU67jN94= =KAxM -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2019-8806 // JVNDB: JVNDB-2019-016919 // VULHUB: VHN-160241 // PACKETSTORM: 155088

AFFECTED PRODUCTS

vendor:applemodel:xcodescope:ltversion:11.2

Trust: 1.0

vendor:アップルmodel:xcodescope:eqversion: -

Trust: 0.8

vendor:アップルmodel:xcodescope:eqversion:11.2

Trust: 0.8

sources: JVNDB: JVNDB-2019-016919 // NVD: CVE-2019-8806

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-8806
value: HIGH

Trust: 1.0

NVD: CVE-2019-8806
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201911-047
value: HIGH

Trust: 0.6

VULHUB: VHN-160241
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-8806
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-160241
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-8806
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-8806
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-160241 // JVNDB: JVNDB-2019-016919 // CNNVD: CNNVD-201911-047 // NVD: CVE-2019-8806

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-119

Trust: 0.1

sources: VULHUB: VHN-160241 // JVNDB: JVNDB-2019-016919 // NVD: CVE-2019-8806

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-047

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201911-047

PATCH

title:HT210729 Apple  Security updateurl:https://support.apple.com/en-us/HT210729

Trust: 0.8

title:Apple Xcode LLVM Fix for component buffer error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=106074

Trust: 0.6

sources: JVNDB: JVNDB-2019-016919 // CNNVD: CNNVD-201911-047

EXTERNAL IDS

db:NVDid:CVE-2019-8806

Trust: 3.4

db:JVNDBid:JVNDB-2019-016919

Trust: 0.8

db:CNNVDid:CNNVD-201911-047

Trust: 0.7

db:PACKETSTORMid:155088

Trust: 0.7

db:AUSCERTid:ESB-2019.4078

Trust: 0.6

db:VULHUBid:VHN-160241

Trust: 0.1

sources: VULHUB: VHN-160241 // JVNDB: JVNDB-2019-016919 // PACKETSTORM: 155088 // CNNVD: CNNVD-201911-047 // NVD: CVE-2019-8806

REFERENCES

url:https://support.apple.com/ht210729

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8806

Trust: 1.5

url:https://support.apple.com/en-au/ht210729

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4078/

Trust: 0.6

url:https://support.apple.com/en-us/ht210729

Trust: 0.6

url:https://packetstormsecurity.com/files/155088/apple-security-advisory-2019-11-01-1.html

Trust: 0.6

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8800

Trust: 0.1

url:https://developer.apple.com/xcode/downloads/

Trust: 0.1

sources: VULHUB: VHN-160241 // JVNDB: JVNDB-2019-016919 // PACKETSTORM: 155088 // CNNVD: CNNVD-201911-047 // NVD: CVE-2019-8806

CREDITS

Apple

Trust: 0.7

sources: PACKETSTORM: 155088 // CNNVD: CNNVD-201911-047

SOURCES

db:VULHUBid:VHN-160241
db:JVNDBid:JVNDB-2019-016919
db:PACKETSTORMid:155088
db:CNNVDid:CNNVD-201911-047
db:NVDid:CVE-2019-8806

LAST UPDATE DATE

2024-08-14T14:38:40.979000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-160241date:2019-12-30T00:00:00
db:JVNDBid:JVNDB-2019-016919date:2024-07-23T05:09:00
db:CNNVDid:CNNVD-201911-047date:2021-10-29T00:00:00
db:NVDid:CVE-2019-8806date:2021-07-21T11:39:23.747

SOURCES RELEASE DATE

db:VULHUBid:VHN-160241date:2019-12-18T00:00:00
db:JVNDBid:JVNDB-2019-016919date:2024-07-23T00:00:00
db:PACKETSTORMid:155088date:2019-11-04T16:55:40
db:CNNVDid:CNNVD-201911-047date:2019-11-04T00:00:00
db:NVDid:CVE-2019-8806date:2019-12-18T18:15:43.210