ID

VAR-202010-1276


CVE

CVE-2020-9874


TITLE

plural Apple Out-of-bounds write vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2020-010566

DESCRIPTION

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution. plural Apple The product is vulnerable to out-of-bounds writes due to a flawed boundary check.Arbitrary code can be executed by processing maliciously created images. Apple iTunes for Windows is a media player application program based on Windows platform of Apple (Apple). ImageIO is one of the components that reads and writes image data. A security vulnerability exists in the ImageIO component of Windows-based Apple iTunes versions prior to 12.10.8. Apple iTunes for Windows could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds write in the ImageIO component

Trust: 1.8

sources: NVD: CVE-2020-9874 // JVNDB: JVNDB-2020-010566 // VULHUB: VHN-187999 // VULMON: CVE-2020-9874

AFFECTED PRODUCTS

vendor:applemodel:itunesscope:ltversion:12.10.8

Trust: 1.0

vendor:applemodel:icloudscope:ltversion:7.20

Trust: 1.0

vendor:applemodel:tvosscope:ltversion:13.4.8

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.15.6

Trust: 1.0

vendor:applemodel:icloudscope:gteversion:10.0

Trust: 1.0

vendor:applemodel:watchosscope:ltversion:6.2.8

Trust: 1.0

vendor:applemodel:icloudscope:ltversion:11.3

Trust: 1.0

vendor:applemodel:iphone osscope:ltversion:13.6

Trust: 1.0

vendor:applemodel:ipadosscope:ltversion:13.6

Trust: 1.0

vendor:applemodel:icloudscope:eqversion:7.20 未満 (windows 7 以降)

Trust: 0.8

vendor:applemodel:iosscope:eqversion:13.6 未満 (iphone 6s 以降)

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.15.5

Trust: 0.8

vendor:applemodel:ipadosscope:eqversion:13.6 未満 (ipad mini 4 以降)

Trust: 0.8

vendor:applemodel:watchosscope:eqversion:6.2.8 未満 (apple watch series 1 以降)

Trust: 0.8

vendor:applemodel:icloudscope:eqversion:11.3 未満 (microsoft store から入手した windows 10 以降)

Trust: 0.8

vendor:applemodel:iosscope:eqversion:13.6 未満 (ipod touch 第 7 世代)

Trust: 0.8

vendor:applemodel:tvosscope:eqversion:13.4.8 未満 (apple tv hd)

Trust: 0.8

vendor:applemodel:ipadosscope:eqversion:13.6 未満 (ipad air 2 以降)

Trust: 0.8

vendor:applemodel:tvosscope:eqversion:13.4.8 未満 (apple tv 4k)

Trust: 0.8

vendor:applemodel:itunesscope:eqversion:for windows 12.10.8 未満 (windows 7 以降)

Trust: 0.8

sources: JVNDB: JVNDB-2020-010566 // NVD: CVE-2020-9874

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9874
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-010566
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202007-1784
value: HIGH

Trust: 0.6

VULHUB: VHN-187999
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-9874
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9874
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-010566
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187999
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9874
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-010566
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187999 // VULMON: CVE-2020-9874 // JVNDB: JVNDB-2020-010566 // CNNVD: CNNVD-202007-1784 // NVD: CVE-2020-9874

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.9

sources: VULHUB: VHN-187999 // JVNDB: JVNDB-2020-010566 // NVD: CVE-2020-9874

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202007-1784

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202007-1784

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-010566

PATCH

title:HT211291url:https://support.apple.com/en-us/HT211291

Trust: 0.8

title:HT211293url:https://support.apple.com/en-us/HT211293

Trust: 0.8

title:HT211294url:https://support.apple.com/en-us/HT211294

Trust: 0.8

title:HT211295url:https://support.apple.com/en-us/HT211295

Trust: 0.8

title:HT211288url:https://support.apple.com/en-us/HT211288

Trust: 0.8

title:HT211289url:https://support.apple.com/en-us/HT211289

Trust: 0.8

title:HT211290url:https://support.apple.com/en-us/HT211290

Trust: 0.8

title:HT211293url:https://support.apple.com/ja-jp/HT211293

Trust: 0.8

title:HT211294url:https://support.apple.com/ja-jp/HT211294

Trust: 0.8

title:HT211295url:https://support.apple.com/ja-jp/HT211295

Trust: 0.8

title:HT211288url:https://support.apple.com/ja-jp/HT211288

Trust: 0.8

title:HT211289url:https://support.apple.com/ja-jp/HT211289

Trust: 0.8

title:HT211290url:https://support.apple.com/ja-jp/HT211290

Trust: 0.8

title:HT211291url:https://support.apple.com/ja-jp/HT211291

Trust: 0.8

title:Apple iTunes for Windows ImageIO Fixes for component security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=125956

Trust: 0.6

title:Apple: iCloud for Windows 7.20url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=50e6b35a047c9702f4cdebdf81483b05

Trust: 0.1

title:Apple: iCloud for Windows 11.3url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=947a08401ec7e5f309d5ae26f5006f48

Trust: 0.1

sources: VULMON: CVE-2020-9874 // JVNDB: JVNDB-2020-010566 // CNNVD: CNNVD-202007-1784

EXTERNAL IDS

db:NVDid:CVE-2020-9874

Trust: 2.6

db:JVNid:JVNVU95491800

Trust: 0.8

db:JVNid:JVNVU94090210

Trust: 0.8

db:JVNDBid:JVNDB-2020-010566

Trust: 0.8

db:CNNVDid:CNNVD-202007-1784

Trust: 0.7

db:NSFOCUSid:49995

Trust: 0.6

db:CNVDid:CNVD-2020-51493

Trust: 0.1

db:VULHUBid:VHN-187999

Trust: 0.1

db:VULMONid:CVE-2020-9874

Trust: 0.1

sources: VULHUB: VHN-187999 // VULMON: CVE-2020-9874 // JVNDB: JVNDB-2020-010566 // CNNVD: CNNVD-202007-1784 // NVD: CVE-2020-9874

REFERENCES

url:https://support.apple.com/kb/ht211293

Trust: 2.4

url:https://support.apple.com/kb/ht211294

Trust: 2.4

url:https://support.apple.com/kb/ht211288

Trust: 1.8

url:https://support.apple.com/kb/ht211289

Trust: 1.8

url:https://support.apple.com/kb/ht211290

Trust: 1.8

url:https://support.apple.com/kb/ht211291

Trust: 1.8

url:https://support.apple.com/kb/ht211295

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-9874

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9874

Trust: 0.8

url:http://jvn.jp/vu/jvnvu94090210/index.html

Trust: 0.8

url:http://jvn.jp/vu/jvnvu95491800/index.html

Trust: 0.8

url:https://support.apple.com/en-us/ht211291

Trust: 0.6

url:https://support.apple.com/en-us/ht211295

Trust: 0.6

url:http://www.nsfocus.net/vulndb/49995

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/186160

Trust: 0.1

sources: VULHUB: VHN-187999 // VULMON: CVE-2020-9874 // JVNDB: JVNDB-2020-010566 // CNNVD: CNNVD-202007-1784 // NVD: CVE-2020-9874

CREDITS

Xingwei Lin of Ant-financial Light-Year Security Lab

Trust: 0.6

sources: CNNVD: CNNVD-202007-1784

SOURCES

db:VULHUBid:VHN-187999
db:VULMONid:CVE-2020-9874
db:JVNDBid:JVNDB-2020-010566
db:CNNVDid:CNNVD-202007-1784
db:NVDid:CVE-2020-9874

LAST UPDATE DATE

2024-11-23T20:32:51.580000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-187999date:2023-01-09T00:00:00
db:VULMONid:CVE-2020-9874date:2020-10-27T00:00:00
db:JVNDBid:JVNDB-2020-010566date:2021-01-27T05:47:04
db:CNNVDid:CNNVD-202007-1784date:2023-01-10T00:00:00
db:NVDid:CVE-2020-9874date:2024-11-21T05:41:26.933

SOURCES RELEASE DATE

db:VULHUBid:VHN-187999date:2020-10-22T00:00:00
db:VULMONid:CVE-2020-9874date:2020-10-22T00:00:00
db:JVNDBid:JVNDB-2020-010566date:2021-01-27T05:47:04
db:CNNVDid:CNNVD-202007-1784date:2020-07-30T00:00:00
db:NVDid:CVE-2020-9874date:2020-10-22T18:15:14.533