ID

VAR-201912-0596


CVE

CVE-2019-8586


TITLE

Apple iCloud for Windows Updates for vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2019-005041

DESCRIPTION

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, Safari 12.1.1, iTunes for Windows 12.9.5, iCloud for Windows 7.12. Processing maliciously crafted web content may lead to arbitrary code execution. Apple From iCloud for Windows An update for has been released.The expected impact depends on each vulnerability, but can be affected as follows: * Arbitrary code execution * Privilege escalation * information leak. WebKit is prone to a information-disclosure and multiple memory-corruption vulnerabilities. Successful exploits may allow attackers to obtain sensitive information or execute arbitrary code in the context of the affected system. Failed exploit attempts will likely cause a denial-of-service condition. Apple iOS, etc. are all products of Apple (Apple). Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. Apple macOS Mojave is a dedicated operating system developed for Mac computers. WebKit is one of the web browser engine components. A buffer error vulnerability exists in the WebKit component of several Apple products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. The following products and versions are affected: Apple iOS prior to 12.3; macOS Mojave prior to 10.14.5; tvOS prior to 12.3; Windows-based iCloud prior to 10.4, prior to 7.12; Windows-based iTunes prior to 12.9.5; Safari versions earlier than 12.1.1. WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded. (CVE-2019-6237) WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge. (CVE-2019-8601) An out-of-bounds read was addressed with improved input validation. (CVE-2019-8644) A logic issue existed in the handling of synchronous page loads. (CVE-2019-8689) A logic issue existed in the handling of document loads. (CVE-2019-8719) This fixes a remote code execution in webkitgtk4. No further details are available in NIST. This issue is fixed in watchOS 6.1. This issue is fixed in watchOS 6.1. This issue is fixed in watchOS 6.1. (CVE-2019-8766) "Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. This issue is fixed in macOS Catalina 10.15. A user may be unable to delete browsing history items. (CVE-2019-8768) An issue existed in the drawing of web page elements. Visiting a maliciously crafted website may reveal browsing history. (CVE-2019-8769) This issue was addressed with improved iframe sandbox enforcement. (CVE-2019-8846) WebKitGTK up to and including 2.26.4 and WPE WebKit up to and including 2.26.4 (which are the versions right prior to 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. (CVE-2020-10018) A use-after-free flaw exists in WebKitGTK. A malicious website may be able to cause a denial of service. A DOM object context may not have had a unique security origin. A file URL may be incorrectly processed. (CVE-2020-3885) A race condition was addressed with additional validation. An application may be able to read restricted memory. (CVE-2020-3901) An input validation issue was addressed with improved input validation. (CVE-2020-3902). Installation note: Safari 12.1.1 may be obtained from the Mac App Store. ------------------------------------------------------------------------ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003 ------------------------------------------------------------------------ Date reported : May 20, 2019 Advisory ID : WSA-2019-0003 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0003.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0003.html CVE identifiers : CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8607, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8615, CVE-2019-8611, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623. CVE-2019-6237 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team. CVE-2019-8571 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to 01 working with Trend Micro's Zero Day Initiative. CVE-2019-8583 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech. CVE-2019-8584 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative. CVE-2019-8586 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to an anonymous researcher. CVE-2019-8587 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative. CVE-2019-8594 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab. CVE-2019-8595 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative. CVE-2019-8596 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Wen Xu of SSLab at Georgia Tech. CVE-2019-8597 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to 01 working with Trend Micro Zero Day Initiative. CVE-2019-8601 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative. CVE-2019-8607 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to Junho Jang and Hanul Choi of LINE Security Team. CVE-2019-8608 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative. CVE-2019-8609 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Wen Xu of SSLab, Georgia Tech. CVE-2019-8610 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Anonymous working with Trend Micro Zero Day Initiative. CVE-2019-8615 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative. CVE-2019-8611 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Gro\xdf of Google Project Zero. CVE-2019-8619 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab. CVE-2019-8622 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Gro\xdf of Google Project Zero. CVE-2019-8623 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Gro\xdf of Google Project Zero. We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK and WPE WebKit team, May 20, 2019 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-5-13-1 iOS 12.3 iOS 12.3 is now available and addresses the following: AppleFileConduit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8593: Dany Lisiansky (@DanyL931) Contacts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to read restricted memory Description: An input validation issue was addressed with improved input validation. CVE-2019-8598: Omer Gull of Checkpoint Research CoreAudio Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8585: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative Disk Images Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological University Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8605: Ned Williamson working with Google Project Zero Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8576: Brandon Azad of Google Project Zero, unho Jang and Hanul Choi of LINE Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to cause unexpected system termination or write kernel memory Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8591: Ned Williamson working with Google Project Zero Lock Screen Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to see the email address used for iTunes Description: A logic issue was addressed with improved restrictions. CVE-2019-8599: Jeremy Peña-Lopez (aka Radio) of the University of North Florida Mail Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted message may lead to a denial of service Description: An input validation issue was addressed with improved input validation. CVE-2019-8626: Natalie Silvanovich of Google Project Zero Mail Message Framework Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A remote attacker may be able to cause arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8613: Natalie Silvanovich of Google Project Zero MobileInstallation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to modify protected parts of the file system Description: A validation issue existed in the handling of symlinks. CVE-2019-8568: Dany Lisiansky (@DanyL931) MobileLockdown Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to gain root privileges Description: An input validation issue was addressed with improved input validation. CVE-2019-8637: Dany Lisiansky (@DanyL931) Photos Storage Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions. CVE-2019-8617: an anonymous researcher SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: An input validation issue was addressed with improved memory handling. CVE-2019-8577: Omer Gull of Checkpoint Research SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8600: Omer Gull of Checkpoint Research SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to read restricted memory Description: An input validation issue was addressed with improved input validation. CVE-2019-8598: Omer Gull of Checkpoint Research SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2019-8602: Omer Gull of Checkpoint Research Status Bar Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: The lock screen may show a locked icon after unlocking Description: The issue was addressed with improved UI handling. CVE-2019-8630: Jon M. Morlan StreamingZip Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to modify protected parts of the file system Description: A validation issue existed in the handling of symlinks. CVE-2019-8568: Dany Lisiansky (@DanyL931) sysdiagnose Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8574: Dayton Pidhirney (@_watbulb) of Seekintoo (@seekintoo) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6237: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab CVE-2019-8622: Samuel Groß of Google Project Zero CVE-2019-8623: Samuel Groß of Google Project Zero CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A device may be passively tracked by its WiFi MAC address Description: A user privacy issue was addressed by removing the broadcast MAC address. CVE-2019-8620: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt Additional recognition Clang We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. CoreFoundation We would like to acknowledge Vozzie and Rami and m4bln, Xiangqian Zhang, Huiming Liu of Tencent's Xuanwu Lab for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero and an anonymous researcher for their assistance. MediaLibrary We would like to acknowledge Angel Ramirez and Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. for their assistance. MobileInstallation We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Safari We would like to acknowledge Ben Guild (@benguild) for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.3". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzZrUopHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3FJJxAA hLu4GEYEBPNLxDWhh49P7k7pe33N8cguJw2iPt6sYkF9swBwzL1AC1y0WiNJejGT Y0PPMG7evpaEVGQwCZvHarNT4g35OUeHdHy4gYAIPfTY15G25jmELL4YTJutWQ0O z6KseXhEq9EqpHKlsT5Q6QOEoUyXVHan33d+H9+4t/jQHFvDqMmwHWO7bKlYyhWW ctG8jbXSgy/OFjSrmbPhfbBfDXQHah8GsFGJAFtlWk+UtQhXNifJT1tj9XAKDtGK V5EQ/hYkYRyyeNPXLiZ/wn6Jesbg8QIrmZB2RHAl1w8XZZY2Gsd1//dTXqn1LkqK gwOV0+Vs//LJwIqix435KKc0ULMwJjIfKy9whzPyf+4lqcD4kx4OdQrakZz4+L7g 4ZZeeyJ0LFFnO4eavtn6lVrYcTXVhJlRkJ6cWZcf9Dfr28bPTSSHda1Nd9quZFJn QPFt7CHRPL1MelgfDKZNeTy7WUDnoTwbdMZCyd0MszCxCeaSahny7066jmfKyXGI OoQQyyz96OmBABcqG3WeCRSeJ3ymmoy2d+JzjA4boIHo4k+nq5ifKikyI8qiHIBB uS3K3DEzMSj/0u2vNcDMjQ6vogbxeWnK8fxCCxkfedYZEdHg4Oj4lK1HStbhweoJ cB3S2pWUIPt8HRcnbUYgypZ0ZJgtnTom+0mgi3a0+64= =fsAj -----END PGP SIGNATURE-----

Trust: 3.42

sources: NVD: CVE-2019-8586 // JVNDB: JVNDB-2019-005041 // JVNDB: JVNDB-2019-013423 // BID: 108497 // VULHUB: VHN-160021 // VULMON: CVE-2019-8586 // PACKETSTORM: 152846 // PACKETSTORM: 152849 // PACKETSTORM: 153116 // PACKETSTORM: 152983 // PACKETSTORM: 152844 // PACKETSTORM: 152845 // PACKETSTORM: 153117

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.14.5

Trust: 1.0

vendor:applemodel:itunesscope:ltversion:12.9.5

Trust: 1.0

vendor:applemodel:tvosscope:ltversion:12.3

Trust: 1.0

vendor:applemodel:icloudscope:gteversion:10.0

Trust: 1.0

vendor:applemodel:iphone osscope:ltversion:12.3

Trust: 1.0

vendor:applemodel:icloudscope:ltversion:7.12

Trust: 1.0

vendor:applemodel:icloudscope:ltversion:10.4

Trust: 1.0

vendor:applemodel:safariscope:ltversion:12.1.1

Trust: 1.0

vendor:applemodel:icloudscope:ltversion:for windows 10.4 earlier

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.14.4

Trust: 0.8

vendor:applemodel:icloudscope:ltversion:for windows 10.4 (windows 10 18362.145 or later )

Trust: 0.8

vendor:applemodel:icloudscope:ltversion:for windows 7.12 (windows 7 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.3 (ipad air or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.3 (iphone 5s or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.3 (ipod touch first 6 generation )

Trust: 0.8

vendor:applemodel:itunesscope:ltversion:for windows 12.9.5 (windows 7 or later )

Trust: 0.8

vendor:applemodel:safariscope:ltversion:12.1.1 (macos high sierra 10.13.6)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:12.1.1 (macos mojave 10.14.5)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:12.1.1 (macos sierra 10.12.6)

Trust: 0.8

vendor:applemodel:tvosscope:ltversion:12.3 (apple tv 4k)

Trust: 0.8

vendor:applemodel:tvosscope:ltversion:12.3 (apple tv hd)

Trust: 0.8

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.9.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.9.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.9.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.7.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.7.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.7.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.6.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.4.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.2.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.8

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.7.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.1.1

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.9

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.6

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.5

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.4

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.3

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.2

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.11

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.10

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:7.0

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.2.2

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.2.1

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.2

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.1

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.0

Trust: 0.3

vendor:applemodel:itunesscope:neversion:12.9.5

Trust: 0.3

vendor:applemodel:icloudscope:neversion:7.12

Trust: 0.3

sources: BID: 108497 // JVNDB: JVNDB-2019-005041 // JVNDB: JVNDB-2019-013423 // NVD: CVE-2019-8586

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-8586
value: HIGH

Trust: 1.0

JPCERT/CC: JVNDB-2019-005041
value: MEDIUM

Trust: 0.8

NVD: CVE-2019-8586
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-483
value: HIGH

Trust: 0.6

VULHUB: VHN-160021
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-8586
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-8586
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

JPCERT/CC: JVNDB-2019-005041
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-160021
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-8586
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

JPCERT/CC: JVNDB-2019-005041
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

NVD: CVE-2019-8586
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-160021 // VULMON: CVE-2019-8586 // JVNDB: JVNDB-2019-005041 // JVNDB: JVNDB-2019-013423 // CNNVD: CNNVD-201905-483 // NVD: CVE-2019-8586

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-119

Trust: 0.8

sources: VULHUB: VHN-160021 // JVNDB: JVNDB-2019-013423 // NVD: CVE-2019-8586

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-483

TYPE

code execution

Trust: 0.7

sources: PACKETSTORM: 152846 // PACKETSTORM: 152849 // PACKETSTORM: 153116 // PACKETSTORM: 152983 // PACKETSTORM: 152844 // PACKETSTORM: 152845 // PACKETSTORM: 153117

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005041

PATCH

title:About the security content of iCloud for Windows 10.4url:https://support.apple.com/en-us/HT210212

Trust: 1.6

title:HT210118url:https://support.apple.com/en-us/HT210118

Trust: 0.8

title:HT210119url:https://support.apple.com/en-us/HT210119

Trust: 0.8

title:HT210120url:https://support.apple.com/en-us/HT210120

Trust: 0.8

title:HT210123url:https://support.apple.com/en-us/HT210123

Trust: 0.8

title:HT210124url:https://support.apple.com/en-us/HT210124

Trust: 0.8

title:HT210125url:https://support.apple.com/en-us/HT210125

Trust: 0.8

title:HT210118url:https://support.apple.com/ja-jp/HT210118

Trust: 0.8

title:HT210119url:https://support.apple.com/ja-jp/HT210119

Trust: 0.8

title:HT210120url:https://support.apple.com/ja-jp/HT210120

Trust: 0.8

title:HT210123url:https://support.apple.com/ja-jp/HT210123

Trust: 0.8

title:HT210124url:https://support.apple.com/ja-jp/HT210124

Trust: 0.8

title:HT210125url:https://support.apple.com/ja-jp/HT210125

Trust: 0.8

title:HT210212url:https://support.apple.com/ja-jp/HT210212

Trust: 0.8

title:Multiple Apple product WebKit Fix for component buffer error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92639

Trust: 0.6

title:Red Hat: Moderate: webkitgtk4 security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204035 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: OpenShift Container Platform 4.6.1 image security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204298 - Security Advisory

Trust: 0.1

title:Amazon Linux 2: ALAS2-2020-1563url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2020-1563

Trust: 0.1

sources: VULMON: CVE-2019-8586 // JVNDB: JVNDB-2019-005041 // JVNDB: JVNDB-2019-013423 // CNNVD: CNNVD-201905-483

EXTERNAL IDS

db:NVDid:CVE-2019-8586

Trust: 3.6

db:JVNid:JVNVU95342995

Trust: 1.6

db:BIDid:108497

Trust: 1.0

db:JVNDBid:JVNDB-2019-005041

Trust: 0.8

db:JVNid:JVNVU93988385

Trust: 0.8

db:JVNid:JVNVU98453159

Trust: 0.8

db:JVNDBid:JVNDB-2019-013423

Trust: 0.8

db:CNNVDid:CNNVD-201905-483

Trust: 0.7

db:PACKETSTORMid:159375

Trust: 0.7

db:PACKETSTORMid:152849

Trust: 0.7

db:PACKETSTORMid:152983

Trust: 0.7

db:AUSCERTid:ESB-2020.3399

Trust: 0.6

db:AUSCERTid:ESB-2019.1849

Trust: 0.6

db:AUSCERTid:ESB-2020.3700

Trust: 0.6

db:AUSCERTid:ESB-2019.1698

Trust: 0.6

db:AUSCERTid:ESB-2019.1922

Trust: 0.6

db:VULHUBid:VHN-160021

Trust: 0.1

db:VULMONid:CVE-2019-8586

Trust: 0.1

db:PACKETSTORMid:152846

Trust: 0.1

db:PACKETSTORMid:153116

Trust: 0.1

db:PACKETSTORMid:152844

Trust: 0.1

db:PACKETSTORMid:152845

Trust: 0.1

db:PACKETSTORMid:153117

Trust: 0.1

sources: VULHUB: VHN-160021 // VULMON: CVE-2019-8586 // BID: 108497 // JVNDB: JVNDB-2019-005041 // JVNDB: JVNDB-2019-013423 // PACKETSTORM: 152846 // PACKETSTORM: 152849 // PACKETSTORM: 153116 // PACKETSTORM: 152983 // PACKETSTORM: 152844 // PACKETSTORM: 152845 // PACKETSTORM: 153117 // CNNVD: CNNVD-201905-483 // NVD: CVE-2019-8586

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2019-8586

Trust: 2.1

url:https://support.apple.com/ht210118

Trust: 1.8

url:https://support.apple.com/ht210119

Trust: 1.8

url:https://support.apple.com/ht210120

Trust: 1.8

url:https://support.apple.com/ht210123

Trust: 1.8

url:https://support.apple.com/ht210124

Trust: 1.8

url:https://support.apple.com/ht210125

Trust: 1.8

url:https://support.apple.com/ht210212

Trust: 1.8

url:https://www.apple.com/

Trust: 0.9

url:https://lists.apple.com/archives/security-announce/2019/may/msg00007.html

Trust: 0.9

url:https://lists.apple.com/archives/security-announce/2019/may/msg00006.html

Trust: 0.9

url:http://jvn.jp/cert/jvnvu95342995

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8586

Trust: 0.8

url:http://jvn.jp/vu/jvnvu93988385/index.html

Trust: 0.8

url:http://jvn.jp/vu/jvnvu98453159/index.html

Trust: 0.8

url:http://jvn.jp/vu/jvnvu95342995/index.html

Trust: 0.8

url:https://www.securityfocus.com/bid/108497

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8587

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-6237

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8595

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8584

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8601

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8583

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8596

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8597

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8571

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-8594

Trust: 0.7

url:https://webkitgtk.org/security/wsa-2019-0003.html

Trust: 0.7

url:https://wpewebkit.org/security/wsa-2019-0003.html

Trust: 0.7

url:https://support.apple.com/kb/ht201222

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-8610

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-8607

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-8608

Trust: 0.6

url:https://www.apple.com/support/security/pgp/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-8609

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-20191850-1.html

Trust: 0.6

url:https://support.apple.com/en-au/ht210123

Trust: 0.6

url:https://support.apple.com/kb/ht210125

Trust: 0.6

url:https://www.auscert.org.au/bulletins/80838

Trust: 0.6

url:https://vigilance.fr/vulnerability/webkit-multiple-vulnerabilities-29366

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3700/

Trust: 0.6

url:https://packetstormsecurity.com/files/159375/red-hat-security-advisory-2020-4035-01.html

Trust: 0.6

url:https://support.apple.com/en-us/ht210123

Trust: 0.6

url:https://support.apple.com/en-us/ht210125

Trust: 0.6

url:https://packetstormsecurity.com/files/152849/apple-security-advisory-2019-5-13-5.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.1849/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3399/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.1922/

Trust: 0.6

url:https://packetstormsecurity.com/files/152983/webkitgtk-wpe-webkit-code-execution.html

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-8598

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-8611

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-8602

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-8577

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-8600

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-8615

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-8623

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-8619

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-8622

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-8560

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8576

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8591

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8585

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8568

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8574

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8628

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-8605

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-8593

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://seclists.org/fulldisclosure/2019/may/25

Trust: 0.1

url:https://alas.aws.amazon.com/al2/alas-2020-1563.html

Trust: 0.1

url:https://support.apple.com/ht204283

Trust: 0.1

url:https://wpewebkit.org/security/.

Trust: 0.1

url:https://webkitgtk.org/security.html

Trust: 0.1

url:https://www.apple.com/itunes/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8599

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8569

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8592

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8604

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8590

Trust: 0.1

url:https://support.apple.com/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8589

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8603

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-4456

Trust: 0.1

url:https://www.apple.com/itunes/download/

Trust: 0.1

sources: VULHUB: VHN-160021 // VULMON: CVE-2019-8586 // BID: 108497 // JVNDB: JVNDB-2019-005041 // JVNDB: JVNDB-2019-013423 // PACKETSTORM: 152846 // PACKETSTORM: 152849 // PACKETSTORM: 153116 // PACKETSTORM: 152983 // PACKETSTORM: 152844 // PACKETSTORM: 152845 // PACKETSTORM: 153117 // CNNVD: CNNVD-201905-483 // NVD: CVE-2019-8586

CREDITS

Apple

Trust: 0.6

sources: PACKETSTORM: 152846 // PACKETSTORM: 152849 // PACKETSTORM: 153116 // PACKETSTORM: 152844 // PACKETSTORM: 152845 // PACKETSTORM: 153117

SOURCES

db:VULHUBid:VHN-160021
db:VULMONid:CVE-2019-8586
db:BIDid:108497
db:JVNDBid:JVNDB-2019-005041
db:JVNDBid:JVNDB-2019-013423
db:PACKETSTORMid:152846
db:PACKETSTORMid:152849
db:PACKETSTORMid:153116
db:PACKETSTORMid:152983
db:PACKETSTORMid:152844
db:PACKETSTORMid:152845
db:PACKETSTORMid:153117
db:CNNVDid:CNNVD-201905-483
db:NVDid:CVE-2019-8586

LAST UPDATE DATE

2024-11-23T19:53:37.493000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-160021date:2020-08-24T00:00:00
db:VULMONid:CVE-2019-8586date:2020-08-24T00:00:00
db:BIDid:108497date:2019-05-28T00:00:00
db:JVNDBid:JVNDB-2019-005041date:2019-06-14T00:00:00
db:JVNDBid:JVNDB-2019-013423date:2020-01-06T00:00:00
db:CNNVDid:CNNVD-201905-483date:2021-11-03T00:00:00
db:NVDid:CVE-2019-8586date:2024-11-21T04:50:07.237

SOURCES RELEASE DATE

db:VULHUBid:VHN-160021date:2019-12-18T00:00:00
db:VULMONid:CVE-2019-8586date:2019-12-18T00:00:00
db:BIDid:108497date:2019-05-28T00:00:00
db:JVNDBid:JVNDB-2019-005041date:2019-06-14T00:00:00
db:JVNDBid:JVNDB-2019-013423date:2020-01-06T00:00:00
db:PACKETSTORMid:152846date:2019-05-14T00:28:51
db:PACKETSTORMid:152849date:2019-05-14T00:30:08
db:PACKETSTORMid:153116date:2019-05-29T13:23:53
db:PACKETSTORMid:152983date:2019-05-21T23:07:14
db:PACKETSTORMid:152844date:2019-05-14T00:27:53
db:PACKETSTORMid:152845date:2019-05-14T00:28:29
db:PACKETSTORMid:153117date:2019-05-29T13:24:19
db:CNNVDid:CNNVD-201905-483date:2019-05-14T00:00:00
db:NVDid:CVE-2019-8586date:2019-12-18T18:15:27.380