Details of VAR-202010-1273

ID

VAR-202010-1273

CVE

CVE-2020-9871

TITLE

plural Apple Out-of-bounds write vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2020-010563

DESCRIPTION

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution. plural Apple The product is vulnerable to out-of-bounds writes due to a flawed boundary check.Arbitrary code can be executed by processing maliciously created images. Apple iOS, etc. are all products of Apple (Apple). Apple iOS is an operating system developed for mobile devices. Apple iPadOS is an operating system for iPad tablets. Apple macOS Catalina is a dedicated operating system developed for Mac computers. ImageIO is one of the components that reads and writes image data. A security vulnerability exists in the ImageIO component of several Apple products. The following products and versions are affected: Apple iOS prior to 13.6; iPadOS prior to 13.6; macOS Catalina prior to 10.15.6; Windows-based iTunes prior to 12.10.8. Apple iTunes for Windows could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds write in the ImageIO component

Trust: 1.8

sources: NVD: CVE-2020-9871 // JVNDB: JVNDB-2020-010563 // VULHUB: VHN-187996 // VULMON: CVE-2020-9871

AFFECTED PRODUCTS

vendor:	apple	model:	icloud	scope:	lt	version:	11.3	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	7.20	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lt	version:	10.15.6	Trust: 1.0
vendor:	apple	model:	itunes	scope:	lt	version:	12.10.8	Trust: 1.0
vendor:	apple	model:	icloud	scope:	gte	version:	10.0	Trust: 1.0
vendor:	apple	model:	tvos	scope:	lt	version:	13.4.8	Trust: 1.0
vendor:	apple	model:	watchos	scope:	lt	version:	6.2.8	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	13.6	Trust: 1.0
vendor:	apple	model:	ipados	scope:	lt	version:	13.6	Trust: 1.0
vendor:	apple	model:	icloud	scope:	eq	version:	7.20 未満 (windows 7 以降)	Trust: 0.8
vendor:	apple	model:	ios	scope:	eq	version:	13.6 未満 (iphone 6s 以降)	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.15.5	Trust: 0.8
vendor:	apple	model:	ipados	scope:	eq	version:	13.6 未満 (ipad mini 4 以降)	Trust: 0.8
vendor:	apple	model:	watchos	scope:	eq	version:	6.2.8 未満 (apple watch series 1 以降)	Trust: 0.8
vendor:	apple	model:	icloud	scope:	eq	version:	11.3 未満 (microsoft store から入手した windows 10 以降)	Trust: 0.8
vendor:	apple	model:	ios	scope:	eq	version:	13.6 未満 (ipod touch 第 7 世代)	Trust: 0.8
vendor:	apple	model:	tvos	scope:	eq	version:	13.4.8 未満 (apple tv hd)	Trust: 0.8
vendor:	apple	model:	ipados	scope:	eq	version:	13.6 未満 (ipad air 2 以降)	Trust: 0.8
vendor:	apple	model:	tvos	scope:	eq	version:	13.4.8 未満 (apple tv 4k)	Trust: 0.8
vendor:	apple	model:	itunes	scope:	eq	version:	for windows 12.10.8 未満 (windows 7 以降)	Trust: 0.8

sources: JVNDB: JVNDB-2020-010563 // NVD: CVE-2020-9871

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-9871
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-010563
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202007-1792
value:	HIGH
Trust: 0.6
VULHUB:	VHN-187996
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-9871
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-9871
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-010563
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-187996
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-9871
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-010563
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-187996 // VULMON: CVE-2020-9871 // JVNDB: JVNDB-2020-010563 // CNNVD: CNNVD-202007-1792 // NVD: CVE-2020-9871

PROBLEMTYPE DATA

problemtype:

CWE-787

Trust: 1.9

sources: VULHUB: VHN-187996 // JVNDB: JVNDB-2020-010563 // NVD: CVE-2020-9871

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202007-1792

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202007-1792

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-010563

PATCH

title:	HT211291	url:	https://support.apple.com/en-us/HT211291	Trust: 0.8
title:	HT211293	url:	https://support.apple.com/en-us/HT211293	Trust: 0.8
title:	HT211294	url:	https://support.apple.com/en-us/HT211294	Trust: 0.8
title:	HT211295	url:	https://support.apple.com/en-us/HT211295	Trust: 0.8
title:	HT211288	url:	https://support.apple.com/en-us/HT211288	Trust: 0.8
title:	HT211289	url:	https://support.apple.com/en-us/HT211289	Trust: 0.8
title:	HT211290	url:	https://support.apple.com/en-us/HT211290	Trust: 0.8
title:	HT211293	url:	https://support.apple.com/ja-jp/HT211293	Trust: 0.8
title:	HT211294	url:	https://support.apple.com/ja-jp/HT211294	Trust: 0.8
title:	HT211295	url:	https://support.apple.com/ja-jp/HT211295	Trust: 0.8
title:	HT211288	url:	https://support.apple.com/ja-jp/HT211288	Trust: 0.8
title:	HT211289	url:	https://support.apple.com/ja-jp/HT211289	Trust: 0.8
title:	HT211290	url:	https://support.apple.com/ja-jp/HT211290	Trust: 0.8
title:	HT211291	url:	https://support.apple.com/ja-jp/HT211291	Trust: 0.8
title:	Multiple Apple product ImageIO Fixes for component security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=125958	Trust: 0.6
title:	Apple: iCloud for Windows 7.20	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=50e6b35a047c9702f4cdebdf81483b05	Trust: 0.1
title:	Apple: iCloud for Windows 11.3	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=947a08401ec7e5f309d5ae26f5006f48	Trust: 0.1

sources: VULMON: CVE-2020-9871 // JVNDB: JVNDB-2020-010563 // CNNVD: CNNVD-202007-1792

EXTERNAL IDS

db:	NVD	id:	CVE-2020-9871	Trust: 2.6
db:	JVN	id:	JVNVU95491800	Trust: 0.8
db:	JVN	id:	JVNVU94090210	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-010563	Trust: 0.8
db:	CNNVD	id:	CNNVD-202007-1792	Trust: 0.7
db:	NSFOCUS	id:	49998	Trust: 0.6
db:	CNVD	id:	CNVD-2020-49298	Trust: 0.1
db:	VULHUB	id:	VHN-187996	Trust: 0.1
db:	VULMON	id:	CVE-2020-9871	Trust: 0.1

sources: VULHUB: VHN-187996 // VULMON: CVE-2020-9871 // JVNDB: JVNDB-2020-010563 // CNNVD: CNNVD-202007-1792 // NVD: CVE-2020-9871

REFERENCES

url:	https://support.apple.com/kb/ht211293	Trust: 2.4
url:	https://support.apple.com/kb/ht211294	Trust: 2.4
url:	https://support.apple.com/kb/ht211288	Trust: 1.8
url:	https://support.apple.com/kb/ht211289	Trust: 1.8
url:	https://support.apple.com/kb/ht211290	Trust: 1.8
url:	https://support.apple.com/kb/ht211291	Trust: 1.8
url:	https://support.apple.com/kb/ht211295	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9871	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9871	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu94090210/index.html	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu95491800/index.html	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/49998	Trust: 0.6
url:	https://support.apple.com/en-us/ht211291	Trust: 0.6
url:	https://support.apple.com/en-us/ht211295	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/186163	Trust: 0.1

sources: VULHUB: VHN-187996 // VULMON: CVE-2020-9871 // JVNDB: JVNDB-2020-010563 // CNNVD: CNNVD-202007-1792 // NVD: CVE-2020-9871

CREDITS

Xingwei Lin of Ant-financial Light-Year Security Lab

Trust: 0.6

sources: CNNVD: CNNVD-202007-1792

SOURCES

db:	VULHUB	id:	VHN-187996
db:	VULMON	id:	CVE-2020-9871
db:	JVNDB	id:	JVNDB-2020-010563
db:	CNNVD	id:	CNNVD-202007-1792
db:	NVD	id:	CVE-2020-9871

LAST UPDATE DATE

2024-08-14T12:39:18.558000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-187996	date:	2023-01-09T00:00:00
db:	VULMON	id:	CVE-2020-9871	date:	2020-10-27T00:00:00
db:	JVNDB	id:	JVNDB-2020-010563	date:	2021-01-27T05:46:59
db:	CNNVD	id:	CNNVD-202007-1792	date:	2023-01-10T00:00:00
db:	NVD	id:	CVE-2020-9871	date:	2023-01-09T16:41:59.350

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-187996	date:	2020-10-22T00:00:00
db:	VULMON	id:	CVE-2020-9871	date:	2020-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-010563	date:	2021-01-27T05:46:59
db:	CNNVD	id:	CNNVD-202007-1792	date:	2020-07-30T00:00:00
db:	NVD	id:	CVE-2020-9871	date:	2020-10-22T18:15:14.207