Details of VAR-202203-0064

ID

VAR-202203-0064

CVE

CVE-2022-22601

TITLE

Xcode Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-008331

DESCRIPTION

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution. Xcode Exists in an out-of-bounds read vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple Xcode is an integrated development environment provided to developers, which is mainly used to develop applications for Mac OS X and iOS. A remote attacker can exploit this vulnerability to submit a special application request, trick the user into parsing it, and cause the application to terminate unexpectedly or execute arbitrary code. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-03-14-7 Xcode 13.3 Xcode 13.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213189. iTMSTransporter Available for: macOS Monterey 12 and later Impact: Multiple issues in iTMSTransporter Description: Multiple issues were addressed with updating FasterXML jackson-databind and Apache Log4j2. CVE-2022-22601: hjy79425575 CVE-2022-22602: hjy79425575 CVE-2022-22603: hjy79425575 CVE-2022-22604: hjy79425575 CVE-2022-22605: hjy79425575 CVE-2022-22606: hjy79425575 CVE-2022-22607: hjy79425575 CVE-2022-22608: hjy79425575 Additional recognition iTMSTransporter We would like to acknowledge Anthony Shaw of Microsoft for their assistance. ld64 We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab for their assistance. Xcode IDE We would like to acknowledge an anonymous researcher for their assistance. Xcode 13.3 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 13.3". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmIvyxkACgkQeC9qKD1p rhgTfRAA389W9ZYj+RMeet6hyBYIeftGEUGKTwm4K5Ufo4RJTumsdRB+ivJz8Oed EFCRcyWHwnM5BZ+ufWnOf1BAijmd1SjlIUwl2zs9SyuULPMybucXKRMfnA2SYgEx ysNlljwsnS7/udREPfMQoJ2gIGYrISt0TxitZnRE9a7mD3r13KwyY3DpjnOxRavL op5AypLkovUA4ljmsLMgIjTHWt4dyDMPCJB/sRchxBDG5tzxcAZvKA/TkvCDMwiF z3yq4yN4ESXo3p9p3KD4bQmGD16dZ7TuxKuCfZpVKT1bFP8wWAHUhY3S7vJ9GDS+ 6cShJ1oIk4/3FFeo98SEgKn8wE1p15DM4DxaqVcWvPuLNpzipQlcmyuicgntZBmO 2wBZED2pfewMiMy+CeX0jDWj6m79cW3g30TYS0P5QQOcWcRme63acE4wJ31uawd2 6jZfYpnpvw6dSsouBcCcZT9sNOuV8r9l5XePJQu37UGjmZuESuLgfZdiymaQunOl f/mPe+C+KgBJ3MEEqbEoU4CqWC/pGtQtyMpepyYdiN14pDLhbhaeJ1T/XDc5O4OB qqNyHocYAm1LUBgEspbHa1EtHQlDk1i5iWGwQMMaLkenKGzlf00bU0hYPISXH8oi am4a0XUz6Y7AjY+TyRU/tuwaIiuzoUIDNELsJPm7PA+QiF370XI=cKC5 -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2022-22601 // JVNDB: JVNDB-2022-008331 // VULHUB: VHN-411229 // VULMON: CVE-2022-22601 // PACKETSTORM: 166313

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lt	version:	13.3	Trust: 1.0
vendor:	アップル	model:	xcode	scope:	eq	version:	-	Trust: 0.8
vendor:	アップル	model:	xcode	scope:	eq	version:	13.3	Trust: 0.8

sources: JVNDB: JVNDB-2022-008331 // NVD: CVE-2022-22601

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22601
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-22601
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202203-1313
value:	HIGH
Trust: 0.6
VULHUB:	VHN-411229
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22601
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22601
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-411229
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22601
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-22601
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-411229 // VULMON: CVE-2022-22601 // JVNDB: JVNDB-2022-008331 // CNNVD: CNNVD-202203-1313 // NVD: CVE-2022-22601

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.1
problemtype:	Out-of-bounds read (CWE-125) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-411229 // JVNDB: JVNDB-2022-008331 // NVD: CVE-2022-22601

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-1313

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202203-1313

PATCH

title:	HT213189	url:	https://support.apple.com/en-us/HT213189	Trust: 0.8
title:	Apple Xcode Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=185809	Trust: 0.6

sources: JVNDB: JVNDB-2022-008331 // CNNVD: CNNVD-202203-1313

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22601	Trust: 3.5
db:	PACKETSTORM	id:	166313	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-008331	Trust: 0.8
db:	CS-HELP	id:	SB2022031501	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-1313	Trust: 0.6
db:	CNVD	id:	CNVD-2022-23939	Trust: 0.1
db:	VULHUB	id:	VHN-411229	Trust: 0.1
db:	ICS CERT	id:	ICSA-23-012-03	Trust: 0.1
db:	VULMON	id:	CVE-2022-22601	Trust: 0.1

sources: VULHUB: VHN-411229 // VULMON: CVE-2022-22601 // JVNDB: JVNDB-2022-008331 // PACKETSTORM: 166313 // CNNVD: CNNVD-202203-1313 // NVD: CVE-2022-22601

REFERENCES

url:	https://support.apple.com/en-us/ht213189	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22601	Trust: 0.9
url:	https://www.cybersecurity-help.cz/vdb/sb2022031501	Trust: 0.6
url:	https://packetstormsecurity.com/files/166313/apple-security-advisory-2022-03-14-7.html	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22601/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22604	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22602	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22607	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22608	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14379	Trust: 0.1
url:	https://support.apple.com/ht213189.	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22606	Trust: 0.1
url:	https://support.apple.com/en-us/ht201222.	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22605	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44228	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22603	Trust: 0.1

sources: VULHUB: VHN-411229 // VULMON: CVE-2022-22601 // JVNDB: JVNDB-2022-008331 // PACKETSTORM: 166313 // CNNVD: CNNVD-202203-1313 // NVD: CVE-2022-22601

CREDITS

Apple

Trust: 0.1

sources: PACKETSTORM: 166313

SOURCES

db:	VULHUB	id:	VHN-411229
db:	VULMON	id:	CVE-2022-22601
db:	JVNDB	id:	JVNDB-2022-008331
db:	PACKETSTORM	id:	166313
db:	CNNVD	id:	CNNVD-202203-1313
db:	NVD	id:	CVE-2022-22601

LAST UPDATE DATE

2024-08-14T12:49:17.361000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-411229	date:	2022-03-23T00:00:00
db:	VULMON	id:	CVE-2022-22601	date:	2022-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2022-008331	date:	2023-07-26T06:09:00
db:	CNNVD	id:	CNNVD-202203-1313	date:	2022-03-24T00:00:00
db:	NVD	id:	CVE-2022-22601	date:	2022-03-23T14:36:22.427

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-411229	date:	2022-03-18T00:00:00
db:	VULMON	id:	CVE-2022-22601	date:	2022-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-008331	date:	2023-07-26T00:00:00
db:	PACKETSTORM	id:	166313	date:	2022-03-15T15:45:58
db:	CNNVD	id:	CNNVD-202203-1313	date:	2022-03-14T00:00:00
db:	NVD	id:	CVE-2022-22601	date:	2022-03-18T18:15:13.093