Details of VAR-202210-1490

ID

VAR-202210-1490

CVE

CVE-2022-32862

TITLE

apple's macOS Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-022795

DESCRIPTION

This issue was addressed with improved data protection. This issue is fixed in macOS Big Sur 11.7.1, macOS Ventura 13, macOS Monterey 12.6.1. An app with root privileges may be able to access private information. apple's macOS Exists in unspecified vulnerabilities.Information may be obtained. Apple macOS Monterey is the eighteenth major release of Apple's Macintosh desktop operating system, macOS. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1 macOS Monterey 12.6.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213494. AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed by removing additional entitlements. CVE-2022-42825: Mickey Jin (@patch1t) Audio Available for: macOS Monterey Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative Entry added October 27, 2022 Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai Entry added October 27, 2022 Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom) Entry added October 27, 2022 Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42801: Ian Beer of Google Project Zero Entry added October 27, 2022 ppp Available for: macOS Monterey Impact: A buffer overflow may result in arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2022-32941: an anonymous researcher Entry added October 27, 2022 Ruby Available for: macOS Monterey Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: A memory corruption issue was addressed by updating Ruby to version 2.6.10. CVE-2022-32862: an anonymous researcher zlib Available for: macOS Monterey Impact: A user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-37434: Evgeny Legerov CVE-2022-42800: Evgeny Legerov Entry added October 27, 2022 Additional recognition Calendar We would like to acknowledge an anonymous researcher for their assistance. macOS Monterey 12.6.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpgACgkQ4RjMIDke NxkmrA//QkiOI5QLiYQv5mGLd0ATWIuBRLVgzxTZY1iguC1IUlDXExGXPd9FeS/n M7kFNZ/tp1i/XgHogq6d+kyBxZSlM+Jp2TfTBr4H/3I3xzFSx4fwEqqmBYiG8XSR DXWKJCcbmYLdQGgHUcKHTMtSWsjRWJjIm88+lJMGdeQGo6NzqcsCKs0Tprf85Noq nr0YTzPAUURmZtrivSLXtpek7S4E1MhzJZZ4IXjI7FiHHzFg7KnlBkESrAamLHgz ephVZA7BsRDZtb5fh10+t7Ky42SIuy5TMd9UU4viNxd/mn6NP2N4shd95ywcrR5/ o6ywAHQxnkL3apOi0BVcwyR9PzrOxkzhZj74iEwgGu/hci1HvwHHPFUkErPqRO1f m1MAz3Q3E+0cXTmjnxZzmrqFgXRauyLaxXNyCMlQVNPw/YBKQLHiaZnbBmt00k0j f++ahogNR07V9LfcZ4YZnK3P5jN20/KNUhtouT/V9mS66lbWz+oQdiRJCVHuW2Ur UkNbgc6mBFq81t3vhWrJlv158OLogWykFzTdPUbJvJw61AKXO/BxNZjv53XL1+D1 2NqnribpyIluIZxwYIo5HVYEMKYLObhcZJDVFXR2gue9hgwEENtiY7SpwOwo+GvE kFAs/FBoLs6cCxATcYCxxuhXG7MYzkjNLPCexskSY7zncFiTHyM= =Fcqo -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2022-32862 // JVNDB: JVNDB-2022-022795 // VULHUB: VHN-424951 // PACKETSTORM: 169566 // PACKETSTORM: 169553 // PACKETSTORM: 169577 // PACKETSTORM: 169552

AFFECTED PRODUCTS

vendor:	apple	model:	macos	scope:	lt	version:	12.6.1	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	12.0.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	11.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.7.1	Trust: 1.0
vendor:	アップル	model:	macos	scope:	eq	version:	11.0 that's all 11.7.1	Trust: 0.8
vendor:	アップル	model:	macos	scope:	eq	version:	12.0.0 that's all 12.6.1	Trust: 0.8
vendor:	アップル	model:	macos	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-022795 // NVD: CVE-2022-32862

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-32862
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-32862
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202210-1671
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-32862
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-32862
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-022795 // CNNVD: CNNVD-202210-1671 // NVD: CVE-2022-32862

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-022795 // NVD: CVE-2022-32862

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202210-1671

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202210-1671

PATCH

title:	HT213493 Apple Security update	url:	https://support.apple.com/en-us/HT213488	Trust: 0.8
title:	Apple macOS Monterey Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=212496	Trust: 0.6

sources: JVNDB: JVNDB-2022-022795 // CNNVD: CNNVD-202210-1671

EXTERNAL IDS

db:	NVD	id:	CVE-2022-32862	Trust: 3.7
db:	PACKETSTORM	id:	169577	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-022795	Trust: 0.8
db:	CNNVD	id:	CNNVD-202210-1671	Trust: 0.7
db:	AUSCERT	id:	ESB-2022.5301	Trust: 0.6
db:	PACKETSTORM	id:	169553	Trust: 0.2
db:	PACKETSTORM	id:	169552	Trust: 0.2
db:	PACKETSTORM	id:	169566	Trust: 0.2
db:	VULHUB	id:	VHN-424951	Trust: 0.1

sources: VULHUB: VHN-424951 // JVNDB: JVNDB-2022-022795 // PACKETSTORM: 169566 // PACKETSTORM: 169553 // PACKETSTORM: 169577 // PACKETSTORM: 169552 // CNNVD: CNNVD-202210-1671 // NVD: CVE-2022-32862

REFERENCES

url:	https://support.apple.com/en-us/ht213494	Trust: 2.3
url:	https://support.apple.com/en-us/ht213488	Trust: 1.7
url:	https://support.apple.com/en-us/ht213493	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32862	Trust: 1.2
url:	https://vigilance.fr/vulnerability/apple-macos-information-disclosure-via-sandbox-39703	Trust: 0.6
url:	https://packetstormsecurity.com/files/169577/apple-security-advisory-2022-10-27-8.html	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-32862/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5301	Trust: 0.6
url:	https://support.apple.com/en-us/ht201222.	Trust: 0.4
url:	https://support.apple.com/downloads/	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42825	Trust: 0.4
url:	https://www.apple.com/support/security/pgp/	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28739	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42798	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-37434	Trust: 0.2
url:	https://support.apple.com/ht213494.	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32944	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42800	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32941	Trust: 0.2
url:	https://support.apple.com/ht213493.	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42801	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42803	Trust: 0.1

CREDITS

Apple

Trust: 0.4

sources: PACKETSTORM: 169566 // PACKETSTORM: 169553 // PACKETSTORM: 169577 // PACKETSTORM: 169552

SOURCES

db:	VULHUB	id:	VHN-424951
db:	JVNDB	id:	JVNDB-2022-022795
db:	PACKETSTORM	id:	169566
db:	PACKETSTORM	id:	169553
db:	PACKETSTORM	id:	169577
db:	PACKETSTORM	id:	169552
db:	CNNVD	id:	CNNVD-202210-1671
db:	NVD	id:	CVE-2022-32862

LAST UPDATE DATE

2024-08-14T12:22:15.496000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-424951	date:	2022-11-03T00:00:00
db:	JVNDB	id:	JVNDB-2022-022795	date:	2023-11-21T01:00:00
db:	CNNVD	id:	CNNVD-202210-1671	date:	2022-11-04T00:00:00
db:	NVD	id:	CVE-2022-32862	date:	2022-11-03T13:06:59.323

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-424951	date:	2022-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2022-022795	date:	2023-11-21T00:00:00
db:	PACKETSTORM	id:	169566	date:	2022-10-31T14:25:29
db:	PACKETSTORM	id:	169553	date:	2022-10-31T14:19:37
db:	PACKETSTORM	id:	169577	date:	2022-10-31T14:43:13
db:	PACKETSTORM	id:	169552	date:	2022-10-31T14:19:21
db:	CNNVD	id:	CNNVD-202210-1671	date:	2022-10-24T00:00:00
db:	NVD	id:	CVE-2022-32862	date:	2022-11-01T20:15:18.093