Details of VAR-202104-0622

ID

VAR-202104-0622

CVE

CVE-2021-1800

TITLE

Xcode Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-012731

DESCRIPTION

A path handling issue was addressed with improved validation. This issue is fixed in Xcode 12.4. A malicious application may be able to access arbitrary files on the host device while running an app that uses on-demand resources with Xcode. Xcode Exists in unspecified vulnerabilities.Information may be obtained. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-01-26-4 Xcode 12.4 Xcode 12.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212153. CVE-2021-1800: Theodore Dubois (@tbodt) Installation note: Xcode 12.4 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 12.4". This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmAQgRcACgkQZcsbuWJ6 jjCzEQ//YOHe+Pi2janl+HduJZ7XHmNiPFX5tsXbfYddkwB34ZiLTeK7UPul+VM0 /Z6/5cuZNwvFhIFYTu2Gh+27gfW9i1wdnl2tIqfeyhN/w7NNdD7bDjJ4oVNsU3E0 BAO0OD76qWWhdm1vErj+74jtRAlhXcuV+PsyJT3n+unJlsYBGxlK56NdIrhbDnQW IdZ6bGh6uCE643pret1TBtobnMJ/WUkFd1xuvVh2nkE9dUqh+rCrvDBWqkYKYh7m MdGi45GU6y/viwWAn5rlDe/vsRABwCP/KpSZaaJOFhZt3IZF+jSMezFyWi6gwgQA BnCrC+P0Q+V987vubp4gorueuRbBZ76Oye8Ltm5DHGnW7g3756R9QO3chLZPjGDv IKwvyrbKL/+r41b6Jd2YOzF5PeuJXpAFTa4rYZdjauRlT2GCf68USWOobjJNhfOJ /pC4PZqB1CfWywIXNFFirLNS/zrMp+qtbh69ThESXb25hiDkvc69kTW0k/SpdygA +UHHo2vMymPrDuuZyINkxZm+h0Viy5PLldg6tlPTNFLeFgr2kNXepSjUqq7sTIN8 BF7ZQ+cpdSnzoo8zxteQZnc7RvhXDdMAUJT8lrVFD1mwob8Wr39dh8ANDhFTuJk3 Ee7P3rkLEQxV0U4bQns2GA9VaT54LlO7m+Qj1bYetnhLYjdPGEc=G4Ph -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2021-1800 // JVNDB: JVNDB-2021-012731 // VULHUB: VHN-376460 // VULMON: CVE-2021-1800 // PACKETSTORM: 161149

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lt	version:	12.4	Trust: 1.0
vendor:	アップル	model:	xcode	scope:	eq	version:	12.4	Trust: 0.8
vendor:	アップル	model:	xcode	scope:	eq	version:	-	Trust: 0.8
vendor:	アップル	model:	xcode	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-012731 // NVD: CVE-2021-1800

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1800
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1800
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202101-2421
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-376460
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1800
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1800
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-376460
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1800
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1800
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-376460 // VULMON: CVE-2021-1800 // JVNDB: JVNDB-2021-012731 // CNNVD: CNNVD-202101-2421 // NVD: CVE-2021-1800

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-012731 // NVD: CVE-2021-1800

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202101-2421

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202101-2421

PATCH

title:	HT212153 Apple Security update	url:	https://support.apple.com/en-us/HT212153	Trust: 0.8
title:	Apple Xcode Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140033	Trust: 0.6
title:	-	url:	https://www.theregister.co.uk/2021/01/26/apple_ios_zero_days/	Trust: 0.1

sources: VULMON: CVE-2021-1800 // JVNDB: JVNDB-2021-012731 // CNNVD: CNNVD-202101-2421

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1800	Trust: 3.5
db:	PACKETSTORM	id:	161149	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-012731	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.0301	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-2421	Trust: 0.6
db:	CNVD	id:	CNVD-2022-23941	Trust: 0.1
db:	VULHUB	id:	VHN-376460	Trust: 0.1
db:	VULMON	id:	CVE-2021-1800	Trust: 0.1

sources: VULHUB: VHN-376460 // VULMON: CVE-2021-1800 // JVNDB: JVNDB-2021-012731 // PACKETSTORM: 161149 // CNNVD: CNNVD-202101-2421 // NVD: CVE-2021-1800

REFERENCES

url:	https://support.apple.com/en-us/ht212153	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1800	Trust: 1.5
url:	https://www.auscert.org.au/bulletins/esb-2021.0301/	Trust: 0.6
url:	https://packetstormsecurity.com/files/161149/apple-security-advisory-2021-01-26-4.html	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/fulldisclosure/2021/jan/83	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://support.apple.com/ht212153.	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1

sources: VULHUB: VHN-376460 // VULMON: CVE-2021-1800 // JVNDB: JVNDB-2021-012731 // PACKETSTORM: 161149 // CNNVD: CNNVD-202101-2421 // NVD: CVE-2021-1800

CREDITS

Apple

Trust: 0.7

sources: PACKETSTORM: 161149 // CNNVD: CNNVD-202101-2421

SOURCES

db:	VULHUB	id:	VHN-376460
db:	VULMON	id:	CVE-2021-1800
db:	JVNDB	id:	JVNDB-2021-012731
db:	PACKETSTORM	id:	161149
db:	CNNVD	id:	CNNVD-202101-2421
db:	NVD	id:	CVE-2021-1800

LAST UPDATE DATE

2024-08-14T15:17:17.433000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-376460	date:	2021-04-08T00:00:00
db:	VULMON	id:	CVE-2021-1800	date:	2021-04-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-012731	date:	2022-09-08T01:39:00
db:	CNNVD	id:	CNNVD-202101-2421	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2021-1800	date:	2021-04-08T17:52:07.407

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-376460	date:	2021-04-02T00:00:00
db:	VULMON	id:	CVE-2021-1800	date:	2021-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2021-012731	date:	2022-09-08T00:00:00
db:	PACKETSTORM	id:	161149	date:	2021-01-27T14:11:19
db:	CNNVD	id:	CNNVD-202101-2421	date:	2021-01-27T00:00:00
db:	NVD	id:	CVE-2021-1800	date:	2021-04-02T19:15:19.693