Details of VAR-202005-0473

ID

VAR-202005-0473

CVE

CVE-2020-13434

TITLE

Apple Security Advisory 2020-11-13-3

Trust: 0.1

sources: PACKETSTORM: 160061

DESCRIPTION

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. SQLite is an open source embedded relational database management system based on C language developed by American D.Richard Hipp software developer. The system has the characteristics of independence, isolation and cross-platform. The sqlite3_str_vappendf of the printf.c file in SQLite 3.32.0 and earlier versions has an input validation error vulnerability. A remote attacker could exploit this vulnerability to execute arbitrary code by sending a specially crafted request. CVE-2020-9976: Rias A. Murdoch (@SJMurdoch) of OneSpan's Innovation Centre (onespan.com) and University College London, Jack Cable of Lightning Security, Ryan Pickren (ryanpickren.com), Yair Amit for their assistance. Entry added November 12, 2020 Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 14.0 and iPadOS 14.0". Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1328 - Port fix to 5.0.z for BZ-1945168 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update Advisory ID: RHSA-2021:2479-01 Product: Red Hat OpenShift Container Storage Advisory URL: https://access.redhat.com/errata/RHSA-2021:2479 Issue date: 2021-06-17 CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708 CVE-2019-3842 CVE-2019-9169 CVE-2019-13012 CVE-2019-14866 CVE-2019-25013 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8927 CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-13434 CVE-2020-13543 CVE-2020-13584 CVE-2020-13776 CVE-2020-15358 CVE-2020-24977 CVE-2020-25659 CVE-2020-25678 CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-27783 CVE-2020-28196 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2020-36242 CVE-2021-3139 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 CVE-2021-3450 CVE-2021-3528 CVE-2021-20305 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 ==================================================================== 1. Summary: Updated images that fix one security issue and several bugs are now available for Red Hat OpenShift Container Storage 4.6.5 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Currently, a newly restored PVC cannot be mounted if some of the OpenShift Container Platform nodes are running on a version of Red Hat Enterprise Linux which is less than 8.2, and the snapshot from which the PVC was restored is deleted. Workaround: Do not delete the snapshot from which the PVC was restored until the restored PVC is deleted. (BZ#1962483) * Previously, the default backingstore was not created on AWS S3 when OpenShift Container Storage was deployed, due to incorrect identification of AWS S3. With this update, the default backingstore gets created when OpenShift Container Storage is deployed on AWS S3. (BZ#1927307) * Previously, log messages were printed to the endpoint pod log even if the debug option was not set. With this update, the log messages are printed to the endpoint pod log only when the debug option is set. (BZ#1938106) * Previously, the PVCs could not be provisioned as the `rook-ceph-mds` did not register the pod IP on the monitor servers, and hence every mount on the filesystem timed out, resulting in CephFS volume provisioning failure. With this update, an argument `--public-addr=podIP` is added to the MDS pod when the host network is not enabled, and hence the CephFS volume provisioning does not fail. (BZ#1949558) * Previously, OpenShift Container Storage 4.2 clusters were not updated with the correct cache value, and hence MDSs in standby-replay might report an oversized cache, as rook did not apply the `mds_cache_memory_limit` argument during upgrades. With this update, the `mds_cache_memory_limit` argument is applied during upgrades and the mds daemon operates normally. (BZ#1951348) * Previously, the coredumps were not generated in the correct location as rook was setting the config option `log_file` to an empty string since logging happened on stdout and not on the files, and hence Ceph read the value of the `log_file` to build the dump path. With this update, rook does not set the `log_file` and keeps Ceph's internal default, and hence the coredumps are generated in the correct location and are accessible under `/var/log/ceph/`. (BZ#1938049) * Previously, Ceph became inaccessible, as the mons lose quorum if a mon pod was drained while another mon was failing over. With this update, voluntary mon drains are prevented while a mon is failing over, and hence Ceph does not become inaccessible. (BZ#1946573) * Previously, the mon quorum was at risk, as the operator could erroneously remove the new mon if the operator was restarted during a mon failover. With this update, the operator completes the same mon failover after the operator is restarted, and hence the mon quorum is more reliable in the node drains and mon failover scenarios. (BZ#1959983) All users of Red Hat OpenShift Container Storage are advised to pull these new images from the Red Hat Container Registry. Bugs fixed (https://bugzilla.redhat.com/): 1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod 1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b 1951348 - [GSS][CephFS] health warning "MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files" for the standby-replay 1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files 1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version] 1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover 1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout 1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod 5. References: https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2019-2708 https://access.redhat.com/security/cve/CVE-2019-3842 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-13012 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-9948 https://access.redhat.com/security/cve/CVE-2020-9951 https://access.redhat.com/security/cve/CVE-2020-9983 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-13543 https://access.redhat.com/security/cve/CVE-2020-13584 https://access.redhat.com/security/cve/CVE-2020-13776 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-24977 https://access.redhat.com/security/cve/CVE-2020-25659 https://access.redhat.com/security/cve/CVE-2020-25678 https://access.redhat.com/security/cve/CVE-2020-26116 https://access.redhat.com/security/cve/CVE-2020-26137 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-27619 https://access.redhat.com/security/cve/CVE-2020-27783 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2020-36242 https://access.redhat.com/security/cve/CVE-2021-3139 https://access.redhat.com/security/cve/CVE-2021-3177 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3528 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-23239 https://access.redhat.com/security/cve/CVE-2021-23240 https://access.redhat.com/security/cve/CVE-2021-23336 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. Bugs fixed (https://bugzilla.redhat.com/): 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 5. Bugs fixed (https://bugzilla.redhat.com/): 1937901 - CVE-2021-27918 golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1965503 - CVE-2021-33196 golang: archive/zip: Malformed archive may cause panic or memory exhaustion 1971445 - Release of OpenShift Serverless Serving 1.16.0 1971448 - Release of OpenShift Serverless Eventing 1.16.0 5. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:2122 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html This update fixes the following bug among others: * Previously, resources for the ClusterOperator were being created early in the update process, which led to update failures when the ClusterOperator had no status condition while Operators were updating. This bug fix changes the timing of when these resources are created. As a result, updates can take place without errors. (BZ#1959238) Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64 The image digest is sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-s390x The image digest is sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le The image digest is sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36 All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled" 1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go 1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list 1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits 1959238 - CVO creating cloud-controller-manager too early causing upgrade failures 1960103 - SR-IOV obliviously reboot the node 1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated 1962302 - packageserver clusteroperator does not set reason or message for Available condition 1962312 - Deployment considered unhealthy despite being available and at latest generation 1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone 1963115 - Test verify /run filesystem contents failing 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1 macOS Big Sur 11.0.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT211931. AMD Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27914: Yu Wang of Didi Research America CVE-2020-27915: Yu Wang of Didi Research America Entry added December 14, 2020 App Store Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to gain elevated privileges Description: This issue was addressed by removing the vulnerable code. CVE-2020-27903: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27910: JunDong Xie and XingWei Lin of Ant Security Light- Year Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27916: JunDong Xie of Ant Security Light-Year Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab Bluetooth Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected application termination or heap corruption Description: Multiple integer overflows were addressed with improved input validation. CVE-2020-27906: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab CoreAudio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27908: JunDong Xie and XingWei Lin of Ant Security Light- Year Lab CVE-2020-27909: Anonymous working with Trend Micro Zero Day Initiative, JunDong Xie and XingWei Lin of Ant Security Light-Year Lab CVE-2020-9960: JunDong Xie and XingWei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 CoreAudio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-10017: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Security Light-Year Lab CoreCapture Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9949: Proteas CoreGraphics Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro Crash Reporter Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. CVE-2020-10003: Tim Michaud (@TimGMichaud) of Leviathan CoreText Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-27922: Mickey Jin of Trend Micro Entry added December 14, 2020 CoreText Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-9999: Apple Entry updated December 14, 2020 Disk Images Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9965: Proteas CVE-2020-9966: Proteas Finder Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Users may be unable to remove metadata indicating where files were downloaded from Description: The issue was addressed with additional user controls. CVE-2020-27894: Manuel Trezza of Shuggr (shuggr.com) FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A buffer overflow was addressed with improved size validation. CVE-2020-9962: Yiğit Can YILMAZ (@yilmazcanyigit) Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27952: an anonymous researcher, Mickey Jin and Junzhi Lu of Trend Micro Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9956: Mickey Jin and Junzhi Lu of Trend Micro Mobile Security Research Team working with Trend Micro’s Zero Day Initiative Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation. CVE-2020-27931: Apple Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27930: Google Project Zero FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-27927: Xingwei Lin of Ant Security Light-Year Lab Foundation Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to read arbitrary files Description: A logic issue was addressed with improved state management. CVE-2020-10002: James Hutchins HomeKit Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker in a privileged network position may be able to unexpectedly alter application state Description: This issue was addressed with improved setting propagation. CVE-2020-9978: Luyi Xing, Dongfang Zhao, and Xiaofeng Wang of Indiana University Bloomington, Yan Jia of Xidian University and University of Chinese Academy of Sciences, and Bin Yuan of HuaZhong University of Science and Technology Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9955: Mickey Jin of Trend Micro, Xingwei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27924: Lei Sun Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab CVE-2020-27923: Lei Sun Entry updated December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9876: Mickey Jin of Trend Micro Intel Graphics Driver Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-10015: ABC Research s.r.o. working with Trend Micro Zero Day Initiative CVE-2020-27897: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., and Luyi Xing of Indiana University Bloomington Entry added December 14, 2020 Intel Graphics Driver Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-27907: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Entry added December 14, 2020 Image Processing Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27919: Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Xingwei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2020-9967: Alex Plaskett (@alexjplaskett) Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9975: Tielei Wang of Pangu Lab Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2020-27921: Linus Henze (pinauten.de) Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management. CVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqong Security Lab Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory initialization issue was addressed. CVE-2020-27950: Google Project Zero Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved state management. CVE-2020-9974: Tommy Muir (@Muirey03) Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2020-10016: Alex Helie Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A type confusion issue was addressed with improved state handling. CVE-2020-27932: Google Project Zero libxml2 Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing maliciously crafted web content may lead to code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-27917: found by OSS-Fuzz CVE-2020-27920: found by OSS-Fuzz Entry updated December 14, 2020 libxml2 Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2020-27911: found by OSS-Fuzz libxpc Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2020-9971: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Entry added December 14, 2020 libxpc Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to break out of its sandbox Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2020-10014: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Logging Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: A path handling issue was addressed with improved validation. CVE-2020-10010: Tommy Muir (@Muirey03) Mail Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to unexpectedly alter application state Description: This issue was addressed with improved checks. CVE-2020-9941: Fabian Ising of FH Münster University of Applied Sciences and Damian Poddebniak of FH Münster University of Applied Sciences Messages Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to discover a user’s deleted messages Description: The issue was addressed with improved deletion. CVE-2020-9988: William Breuer of the Netherlands CVE-2020-9989: von Brunn Media Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-10011: Aleksandar Nikolic of Cisco Talos Entry added December 14, 2020 Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-13524: Aleksandar Nikolic of Cisco Talos Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-10004: Aleksandar Nikolic of Cisco Talos NetworkExtension Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to elevate privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9996: Zhiwei Yuan of Trend Micro iCore Team, Junzhi Lu and Mickey Jin of Trend Micro NSRemoteView Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved restrictions. CVE-2020-27901: Thijs Alkemade of Computest Research Division Entry added December 14, 2020 NSRemoteView Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to preview files it does not have access to Description: An issue existed in the handling of snapshots. The issue was resolved with improved permissions logic. CVE-2020-27900: Thijs Alkemade of Computest Research Division PCRE Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Multiple issues in pcre Description: Multiple issues were addressed by updating to version 8.44. CVE-2019-20838 CVE-2020-14155 Power Management Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved state management. CVE-2020-10007: singi@theori working with Trend Micro Zero Day Initiative python Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Cookies belonging to one origin may be sent to another origin Description: Multiple issues were addressed with improved logic. CVE-2020-27896: an anonymous researcher Quick Look Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious app may be able to determine the existence of files on the computer Description: The issue was addressed with improved handling of icon caches. CVE-2020-9963: Csaba Fitzl (@theevilbit) of Offensive Security Quick Look Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted document may lead to a cross site scripting attack Description: An access issue was addressed with improved access restrictions. CVE-2020-10012: Heige of KnownSec 404 Team (https://www.knownsec.com/) and Bo Qu of Palo Alto Networks (https://www.paloaltonetworks.com/) Ruby Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to modify the file system Description: A path handling issue was addressed with improved validation. CVE-2020-27896: an anonymous researcher Ruby Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system Description: This issue was addressed with improved checks. CVE-2020-10663: Jeremy Evans Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2020-9945: Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine a user's open tabs in Safari Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. CVE-2020-9977: Josh Parnham (@joshparnham) Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2020-9942: an anonymous researcher, Rahul d Kankrale (servicenger.com), Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter, Ruilin Yang of Tencent Security Xuanwu Lab, YoKo Kho (@YoKoAcc) of PT Telekomunikasi Indonesia (Persero) Tbk, Zhiyang Zeng(@Wester) of OPPO ZIWU Security Lab Sandbox Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to view senstive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2020-9969: Wojciech Reguła of SecuRing (wojciechregula.blog) SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-9991 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to leak memory Description: An information disclosure issue was addressed with improved state management. CVE-2020-9849 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating SQLite to version 3.32.3. CVE-2020-15358 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A maliciously crafted SQL query may lead to data corruption Description: This issue was addressed with improved checks. CVE-2020-13631 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-13434 CVE-2020-13435 CVE-2020-9991 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-13630 Symptom Framework Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-27899: 08Tc3wBB working with ZecOps Entry added December 14, 2020 System Preferences Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved state management. CVE-2020-10009: Thijs Alkemade of Computest Research Division TCC Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application with root privileges may be able to access private information Description: A logic issue was addressed with improved restrictions. CVE-2020-10008: Wojciech Reguła of SecuRing (wojciechregula.blog) Entry added December 14, 2020 WebKit Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-27918: Liu Long of Ant Security Light-Year Lab Entry updated December 14, 2020 Wi-Fi Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker may be able to bypass Managed Frame Protection Description: A denial of service issue was addressed with improved state handling. CVE-2020-27898: Stephan Marais of University of Johannesburg Xsan Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to access restricted files Description: This issue was addressed with improved entitlements. CVE-2020-10006: Wojciech Reguła (@_r3ggi) of SecuRing Additional recognition 802.1X We would like to acknowledge Kenana Dalle of Hamad bin Khalifa University and Ryan Riley of Carnegie Mellon University in Qatar for their assistance. Entry added December 14, 2020 Audio We would like to acknowledge JunDong Xie and XingWei Lin of Ant- financial Light-Year Security Lab, an anonymous researcher for their assistance. Bluetooth We would like to acknowledge Andy Davis of NCC Group, Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their assistance. Entry updated December 14, 2020 Clang We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. Core Location We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Crash Reporter We would like to acknowledge Artur Byszko of AFINE for their assistance. Entry added December 14, 2020 Directory Utility We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance. iAP We would like to acknowledge Andy Davis of NCC Group for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero, Stephen Röttger of Google for their assistance. libxml2 We would like to acknowledge an anonymous researcher for their assistance. Entry added December 14, 2020 Login Window We would like to acknowledge Rob Morton of Leidos for their assistance. Photos Storage We would like to acknowledge Paulos Yibelo of LimeHats for their assistance. Quick Look We would like to acknowledge Csaba Fitzl (@theevilbit) and Wojciech Reguła of SecuRing (wojciechregula.blog) for their assistance. Safari We would like to acknowledge Gabriel Corona and Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati for their assistance. Security We would like to acknowledge Christian Starkjohann of Objective Development Software GmbH for their assistance. System Preferences We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl/YDPwACgkQZcsbuWJ6 jjANmhAAoj+ZHNnH2pGDFl2/jrAtvWBtXg8mqw6NtNbGqWDZFhnY5q7Lp8WTx/Pi x64A4F8bU5xcybnmaDpK5PMwAAIiAg4g1BhpOq3pGyeHEasNx7D9damfqFGKiivS p8nl62XE74ayfxdZGa+2tOVFTFwqixfr0aALVoQUhAWNeYuvVSgJXlgdGjj+QSL+ 9vW86kbQypOqT5TPDg6tpJy3g5s4hotkfzCfxA9mIKOg5e/nnoRNhw0c1dzfeTRO INzGxnajKGGYy2C3MH6t0cKG0B6cH7aePZCHYJ1jmuAVd0SD3PfmoT76DeRGC4Ri c8fGD+5pvSF6/+5E+MbH3t3D6bLiCGRFJtYNMpr46gUKKt27EonSiheYCP9xR6lU ChpYdcgHMOHX4a07/Oo8vEwQrtJ4JryhI9tfBel1ewdSoxk2iCFKzLLYkDMihD6B 1x/9MlaqEpLYBnuKkrRzFINW23TzFPTI/+i2SbUscRQtK0qE7Up5C+IUkRvBGhEs MuEmEnn5spnVG2EBcKeLtJxtf/h5WaRFrev72EvSVR+Ko8Cj0MgK6IATu6saq8bV kURL5empvpexFAvVQWRDaLgGBHKM+uArBz2OP6t7wFvD2p1Vq5M+dMrEPna1JO/S AXZYC9Y9bBRZfYQAv7nxa+uIXy2rGTuQKQY8ldu4eEHtJ0OhaB8= =T5Y8 -----END PGP SIGNATURE----- . Alternatively, on your watch, select "My Watch > General > About"

Trust: 1.71

sources: NVD: CVE-2020-13434 // VULHUB: VHN-166212 // PACKETSTORM: 160061 // PACKETSTORM: 162837 // PACKETSTORM: 163209 // PACKETSTORM: 163276 // PACKETSTORM: 163496 // PACKETSTORM: 162877 // PACKETSTORM: 160545 // PACKETSTORM: 160064

AFFECTED PRODUCTS

vendor:	freebsd	model:	freebsd	scope:	gte	version:	11.0	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	lte	version:	12.0.3	Trust: 1.0
vendor:	sqlite	model:	sqlite	scope:	lte	version:	3.32.0	Trust: 1.0
vendor:	freebsd	model:	freebsd	scope:	eq	version:	11.4	Trust: 1.0
vendor:	apple	model:	ipados	scope:	lt	version:	14.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	14.0	Trust: 1.0
vendor:	oracle	model:	outside in technology	scope:	eq	version:	8.5.5	Trust: 1.0
vendor:	freebsd	model:	freebsd	scope:	lt	version:	11.4	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	11.0	Trust: 1.0
vendor:	freebsd	model:	freebsd	scope:	eq	version:	12.1	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	16.04	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	11.5	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.0.1	Trust: 1.0
vendor:	apple	model:	itunes	scope:	lt	version:	12.10.9	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	eq	version:	6.0.1	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	20.04	Trust: 1.0
vendor:	freebsd	model:	freebsd	scope:	eq	version:	12.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	19.10	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	apple	model:	tvos	scope:	lt	version:	14.0	Trust: 1.0
vendor:	apple	model:	watchos	scope:	lt	version:	7.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core policy	scope:	eq	version:	1.14.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	gte	version:	12.0.0	Trust: 1.0

sources: NVD: CVE-2020-13434

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13434
value:	MEDIUM
Trust: 1.0
VULHUB:	VHN-166212
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-13434
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-166212
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-13434
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-166212 // NVD: CVE-2020-13434

PROBLEMTYPE DATA

problemtype:

CWE-190

Trust: 1.1

sources: VULHUB: VHN-166212 // NVD: CVE-2020-13434

TYPE

overflow, spoof, code execution, xss

Trust: 0.2

sources: PACKETSTORM: 160061 // PACKETSTORM: 160064

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-166212

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13434	Trust: 1.9
db:	PACKETSTORM	id:	163276	Trust: 0.2
db:	PACKETSTORM	id:	163209	Trust: 0.2
db:	PACKETSTORM	id:	160545	Trust: 0.2
db:	PACKETSTORM	id:	163496	Trust: 0.2
db:	PACKETSTORM	id:	162837	Trust: 0.2
db:	PACKETSTORM	id:	160061	Trust: 0.2
db:	PACKETSTORM	id:	160064	Trust: 0.2
db:	PACKETSTORM	id:	162659	Trust: 0.1
db:	PACKETSTORM	id:	163257	Trust: 0.1
db:	PACKETSTORM	id:	162628	Trust: 0.1
db:	PACKETSTORM	id:	163267	Trust: 0.1
db:	PACKETSTORM	id:	160062	Trust: 0.1
db:	PACKETSTORM	id:	158592	Trust: 0.1
db:	PACKETSTORM	id:	163188	Trust: 0.1
db:	CNNVD	id:	CNNVD-202005-1159	Trust: 0.1
db:	VULHUB	id:	VHN-166212	Trust: 0.1
db:	PACKETSTORM	id:	162877	Trust: 0.1

sources: VULHUB: VHN-166212 // PACKETSTORM: 160061 // PACKETSTORM: 162837 // PACKETSTORM: 163209 // PACKETSTORM: 163276 // PACKETSTORM: 163496 // PACKETSTORM: 162877 // PACKETSTORM: 160545 // PACKETSTORM: 160064 // NVD: CVE-2020-13434

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20200528-0004/	Trust: 1.1
url:	https://support.apple.com/kb/ht211843	Trust: 1.1
url:	https://support.apple.com/kb/ht211844	Trust: 1.1
url:	https://support.apple.com/kb/ht211850	Trust: 1.1
url:	https://support.apple.com/kb/ht211931	Trust: 1.1
url:	https://support.apple.com/kb/ht211935	Trust: 1.1
url:	https://support.apple.com/kb/ht211952	Trust: 1.1
url:	https://security.freebsd.org/advisories/freebsd-sa-20:22.sqlite.asc	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2020/nov/20	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2020/nov/19	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2020/nov/22	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2020/dec/32	Trust: 1.1
url:	https://security.gentoo.org/glsa/202007-26	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2021.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2020.html	Trust: 1.1
url:	https://www.sqlite.org/src/info/23439ea582241138	Trust: 1.1
url:	https://www.sqlite.org/src/info/d08d3405878d394e	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2020/05/msg00024.html	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html	Trust: 1.1
url:	https://usn.ubuntu.com/4394-1/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/l7kxqwhiy2mqp4lnm6odwjenmxyyqybn/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13434	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15358	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-8286	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-28196	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-15358	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-13434	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-3842	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-13776	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-24977	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8231	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-29362	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8285	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2016-10228	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-9169	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25013	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-29361	Trust: 0.5
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9169	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2021-3326	Trust: 0.5
url:	https://bugzilla.redhat.com/):	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-25013	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-2708	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8927	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-29363	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3842	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-2708	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2016-10228	Trust: 0.5
url:	https://access.redhat.com/security/team/contact/	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8284	Trust: 0.5
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-27618	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13776	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-26116	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-27619	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2021-3177	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2021-23336	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13435	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13631	Trust: 0.3
url:	https://www.apple.com/support/security/pgp/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13630	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-20305	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-13543	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9951	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9948	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-13012	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-13584	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-26137	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9983	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13012	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14502	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27618	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8231	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24977	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-14502	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28196	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-29362	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-29363	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-29361	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9961	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9951	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9947	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9944	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9954	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9941	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9943	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14899	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9965	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9946	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9876	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9949	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9849	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9950	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9952	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14347	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-36322	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-12114	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25712	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12114	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-27835	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25704	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-3121	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-10878	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19528	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-0431	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14363	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-18811	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13543	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14360	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13584	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-19528	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-12464	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14314	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-12362	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14356	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-27786	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25643	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-24394	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-0431	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-0342	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18811	Trust: 0.2
url:	https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14345	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14344	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-19523	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14362	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14361	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10543	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25285	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-35508	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12362	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25212	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19523	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-28974	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-10543	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-15437	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25284	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14346	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10878	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11608	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-11608	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12464	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-26116	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-36242	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27619	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-14866	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14866	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-3449	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-27783	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25659	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-3450	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8284	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8285	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8286	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8927	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-27219	Trust: 0.2
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/l7kxqwhiy2mqp4lnm6odwjenmxyyqybn/	Trust: 0.1
url:	https://www.apple.com/itunes/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9964	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6147	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9963	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9773	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9958	Trust: 0.1
url:	https://support.apple.com/ht211850.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10013	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13520	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9959	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14346	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14345	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14347	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14360	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2136	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14314	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14344	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-u	Trust: 0.1
url:	https://issues.jboss.org/):	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14356	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2479	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-23240	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3139	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-26137	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-23239	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25659	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36242	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27783	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3528	Trust: 0.1
url:	https://access.redhat.com/articles/11258	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25678	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-25678	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28500	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-28500	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-20305	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-13949	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28362	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.7/jaeger/jaeger_install/rhb	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3114	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-28362	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2543	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23336	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13949	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-23337	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27219	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27918	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/openshift_container_platform/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2705	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31525	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3326	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-31525	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-27918	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-33196	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-33196	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25039	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-15586	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.7/updating/updating-cluster	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25037	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25037	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-28935	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25034	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-16845	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25035	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25038	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-21645	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25040	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-24330	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25042	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25042	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25038	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25032	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25041	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25036	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25032	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-21643	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-25215	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-24331	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25036	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-30465	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25035	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-21644	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2121	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-24332	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25039	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-25040	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25041	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2122	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-21642	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-25034	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10014	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13524	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14155	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10016	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10011	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10015	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10017	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27894	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27896	Trust: 0.1
url:	https://support.apple.com/ht211931.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10003	Trust: 0.1
url:	https://www.knownsec.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10009	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10004	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10008	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20838	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10002	Trust: 0.1
url:	https://www.paloaltonetworks.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10010	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10012	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10663	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10006	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10007	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9983	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9981	Trust: 0.1
url:	https://support.apple.com/kb/ht204641	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9993	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9991	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9976	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9968	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9989	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9966	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9969	Trust: 0.1
url:	https://support.apple.com/ht211844.	Trust: 0.1

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 162837 // PACKETSTORM: 163209 // PACKETSTORM: 163276 // PACKETSTORM: 163496 // PACKETSTORM: 162877

SOURCES

db:	VULHUB	id:	VHN-166212
db:	PACKETSTORM	id:	160061
db:	PACKETSTORM	id:	162837
db:	PACKETSTORM	id:	163209
db:	PACKETSTORM	id:	163276
db:	PACKETSTORM	id:	163496
db:	PACKETSTORM	id:	162877
db:	PACKETSTORM	id:	160545
db:	PACKETSTORM	id:	160064
db:	NVD	id:	CVE-2020-13434

LAST UPDATE DATE

2026-02-05T13:25:58.050000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166212	date:	2023-01-09T00:00:00
db:	NVD	id:	CVE-2020-13434	date:	2024-11-21T05:01:15.420

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166212	date:	2020-05-24T00:00:00
db:	PACKETSTORM	id:	160061	date:	2020-11-13T20:32:22
db:	PACKETSTORM	id:	162837	date:	2021-05-27T13:28:54
db:	PACKETSTORM	id:	163209	date:	2021-06-17T18:34:10
db:	PACKETSTORM	id:	163276	date:	2021-06-24T17:54:53
db:	PACKETSTORM	id:	163496	date:	2021-07-14T15:02:07
db:	PACKETSTORM	id:	162877	date:	2021-06-01T14:45:29
db:	PACKETSTORM	id:	160545	date:	2020-12-16T18:05:29
db:	PACKETSTORM	id:	160064	date:	2020-11-14T12:44:44
db:	NVD	id:	CVE-2020-13434	date:	2020-05-24T22:15:10.397