Details of VAR-202203-1362

ID

VAR-202203-1362

CVE

CVE-2022-22657

TITLE

plural Apple Product initialization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-008433

DESCRIPTION

A memory initialization issue was addressed with improved memory handling. This issue is fixed in Logic Pro 10.7.3, GarageBand 10.4.6, macOS Monterey 12.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution. (DoS) It may be in a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-03-14-8 Logic Pro X 10.7.3 Logic Pro X 10.7.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213190. You can encrypt communications with Apple using the Apple Product Security PGP Key. Apple security documents reference vulnerabilities by CVE-ID when possible. CVE-2022-22664: Brandon Perry of Atredis Partners All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmIv0K0ACgkQeC9qKD1p rhiYtRAAlDDCvQcngppXAoN6wi9/LHijQ2wag0a4XBnuWSN5TjGw+8KB6/rhm9vB JCA/sTxqmYJYOyNXkMSNPhMSYWB496pE6IsBFCVzskVQNH2olVhzeOePtrNh9Dlt vzGcZc9h/NftwneTOYL1k3ODOzaM2gCOOMy39sEUuhRVCi5Q3qaHhY6u82allZrj Vyl5v/WsVrHGGCCmv4vuX/l+jZCM6XyY8VzpCbi8hu7mHFPfqjr6+/fX908fODLO JL7FmD8L32XGar4suiYZ6vBt4naFIN9blOyECRVLj050nD6O5GlVON8xQEH9Y1OA A4pq2R42VgXNZwqCK8ucby8CwkGZEu04O5zKZ7d6801RKzlCvWl0s9dGvxLpOrqV rlTneI/dce09H6a4Gqq1y2fNE0p9GhRlW4YEg7wWhp9+C8LhRkfk9VNm+UM7X3/+ vAxqO7O8MIDVGZeSqD2SJiDkcJNYl6kltrb9Jh7Ul+GBX2Sk0csZ3LTot0tU5oQR Kg12ldpt/62oH8u9nDCoSFD0uwv3OBDX3RdjkoRDMzzVa8coCM/3ddMjKkB/S2zn /TpIOwHbPBkKfcH6CpLHVEw24sEPjUFORWhuOL8eSD/7qBWtM9a2rMKdDabVrwmN YCdKSBwEzCp0C3MY1qbATNYULN4kTzaylZHF0BVfosnmuc7NOaw=SgpZ -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2022-22657 // JVNDB: JVNDB-2022-008433 // VULHUB: VHN-411285 // VULMON: CVE-2022-22657 // PACKETSTORM: 166310 // PACKETSTORM: 166311

AFFECTED PRODUCTS

vendor:	apple	model:	garageband	scope:	lt	version:	10.4.6	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	12.3	Trust: 1.0
vendor:	apple	model:	logic pro x	scope:	lt	version:	10.7.3	Trust: 1.0
vendor:	アップル	model:	logic pro x	scope:	-	version:	-	Trust: 0.8
vendor:	アップル	model:	macos	scope:	eq	version:	12.3	Trust: 0.8
vendor:	アップル	model:	garageband	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-008433 // NVD: CVE-2022-22657

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22657
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-22657
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202203-1251
value:	HIGH
Trust: 0.6
VULHUB:	VHN-411285
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22657
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22657
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-411285
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22657
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-22657
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-411285 // VULMON: CVE-2022-22657 // JVNDB: JVNDB-2022-008433 // CNNVD: CNNVD-202203-1251 // NVD: CVE-2022-22657

PROBLEMTYPE DATA

problemtype:	CWE-665	Trust: 1.1
problemtype:	Improper initialization (CWE-665) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-411285 // JVNDB: JVNDB-2022-008433 // NVD: CVE-2022-22657

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-1251

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202203-1251

PATCH

title:	HT213191	url:	https://support.apple.com/en-us/HT213183	Trust: 0.8
title:	Apple macOS Monterey Buffer error vulnerability fix	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=185753	Trust: 0.6
title:	Apple: macOS Monterey 12.3	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=f1105c4a20da11497b610b14a1668180	Trust: 0.1
title:	https://github.com/brandonprry/apple_midi	url:	https://github.com/brandonprry/apple_midi	Trust: 0.1
title:	About Me I’m currently looking for work! About this Page Current Employment / Main Projects Publications / Public Work Education Information / Courses Past Employment / Internships / Works / Projects Competition Participation Current Organizations Past Organizations Events Credits	url:	https://github.com/koronkowy/koronkowy	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22657 // JVNDB: JVNDB-2022-008433 // CNNVD: CNNVD-202203-1251

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22657	Trust: 3.6
db:	PACKETSTORM	id:	166311	Trust: 0.8
db:	PACKETSTORM	id:	166310	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-008433	Trust: 0.8
db:	CS-HELP	id:	SB2022031441	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-1251	Trust: 0.6
db:	VULHUB	id:	VHN-411285	Trust: 0.1
db:	VULMON	id:	CVE-2022-22657	Trust: 0.1

sources: VULHUB: VHN-411285 // VULMON: CVE-2022-22657 // JVNDB: JVNDB-2022-008433 // PACKETSTORM: 166310 // PACKETSTORM: 166311 // CNNVD: CNNVD-202203-1251 // NVD: CVE-2022-22657

REFERENCES

url:	https://support.apple.com/en-us/ht213183	Trust: 2.4
url:	https://support.apple.com/en-us/ht213190	Trust: 2.4
url:	https://support.apple.com/en-us/ht213191	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22657	Trust: 1.0
url:	https://packetstormsecurity.com/files/166310/apple-security-advisory-2022-03-14-8.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022031441	Trust: 0.6
url:	https://vigilance.fr/vulnerability/apple-ios-macos-multiple-vulnerabilities-37800	Trust: 0.6
url:	https://packetstormsecurity.com/files/166311/apple-security-advisory-2022-03-14-9.html	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22657/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22664	Trust: 0.2
url:	https://support.apple.com/en-us/ht201222.	Trust: 0.2
url:	https://www.apple.com/support/security/pgp/	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/665.html	Trust: 0.1
url:	https://github.com/brandonprry/apple_midi	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/koronkowy/koronkowy	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1
url:	https://support.apple.com/kb/ht213183	Trust: 0.1
url:	https://support.apple.com/ht213190.	Trust: 0.1
url:	https://support.apple.com/ht213191.	Trust: 0.1

CREDITS

Apple

Trust: 0.2

sources: PACKETSTORM: 166310 // PACKETSTORM: 166311

SOURCES

db:	VULHUB	id:	VHN-411285
db:	VULMON	id:	CVE-2022-22657
db:	JVNDB	id:	JVNDB-2022-008433
db:	PACKETSTORM	id:	166310
db:	PACKETSTORM	id:	166311
db:	CNNVD	id:	CNNVD-202203-1251
db:	NVD	id:	CVE-2022-22657

LAST UPDATE DATE

2024-08-14T14:10:54.072000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-411285	date:	2022-03-25T00:00:00
db:	VULMON	id:	CVE-2022-22657	date:	2022-03-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-008433	date:	2023-07-27T01:50:00
db:	CNNVD	id:	CNNVD-202203-1251	date:	2022-12-09T00:00:00
db:	NVD	id:	CVE-2022-22657	date:	2022-03-25T20:05:26.803

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-411285	date:	2022-03-18T00:00:00
db:	VULMON	id:	CVE-2022-22657	date:	2022-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-008433	date:	2023-07-27T00:00:00
db:	PACKETSTORM	id:	166310	date:	2022-03-15T15:44:52
db:	PACKETSTORM	id:	166311	date:	2022-03-15T15:45:07
db:	CNNVD	id:	CNNVD-202203-1251	date:	2022-03-14T00:00:00
db:	NVD	id:	CVE-2022-22657	date:	2022-03-18T18:15:14.917