Details of VAR-202211-0020

ID

VAR-202211-0020

CVE

CVE-2022-42797

TITLE

apple's Xcode Injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-020125

DESCRIPTION

An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges. apple's Xcode There is an injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-11-01-1 Xcode 14.1 Xcode 14.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213496. Git Available for: macOS Monterey 12.5 and later Impact: Multiple issues in git Description: Multiple issues were addressed by updating to git version 2.32.3. CVE-2022-29187: Carlo Marcelo Arenas Belón and Johannes Schindelin Git Available for: macOS Monterey 12.5 and later Impact: Cloning a malicious repository may result in the disclosure of sensitive information Description: This issue was addressed with improved checks. CVE-2022-39253: Cory Snider of Mirantis Git Available for: macOS Monterey 12.5 and later Impact: A remote user may cause an unexpected app termination or arbitrary code execution if git shell is allowed as a login shell Description: This issue was addressed with improved checks. CVE-2022-39260: Kevin Backhouse of the GitHub Security Lab IDE Xcode Server Available for: macOS Monterey 12.5 and later Impact: An app may be able to gain root privileges Description: An injection issue was addressed with improved input validation. CVE-2022-42797: Tim Michaud (@TimGMichaud) of Moveworks.ai Xcode 14.1 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 14.1". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNhY28ACgkQ4RjMIDke NxkOOA/7BZu2PQGUMUbfn1Xz1WKUpJou+FUuBfDYlicI3H+ESpTzAcptcpEU8tuF Iz9tG9ROTFkf/XHUm/+MX+Xmpet4hjkq0K5oySFGnhBqa8vPJBsGdT1y48ZT57zg r3HQHgOlik+94Y1V/r2rxn8UEKLlRgS9zjqgjzUBs34OTxLuvRGWQIJD92Vh6qoH oFf4/D5lvU5QEVm0SXhZFq2vD9GevxNDSv9PXm6V9ZYjuZ7RWVI9FMAUVo2K6EiA jnZ7OIWW68e2DtkEBouyb3E7x/GOWvNBKKevuflD5WDPpw2y/MCi1nsX/TW0FMrB iYaiS5y/wk8gWMXB9ADi1SMmN1bhBiHUJ/c0G8NJtGuc7oRUA1SerC/cdP5aQMcF 1JRSm30h3mK/V2r0lYDPsP+0bkg4ibNuTpJfZC2nzPffUZlRbgmVKSFqj+bYqQUi WuZSEvNPOZHmLl9HzzilTSplQ9YzViqOPj9pn38W5LcKoStByS0yvuB1k91+szdY pZQPWt+M1cvPIkpIjpq5BKa1lMYjkkRTLWUPrqjCkerOF9uI8YLIlJ+rEms2jtvv eOWMU3d4H9/5xKYuuM3CvKenBYb+MCesN2DhppVlbGHxvlOUAMRjRtLc41tY96G+ BrZdYFXbjW9dMuWcO/IPIR17UAXpVN4IZasbNEfjQZsOZ9n+61Y= =rHwp -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2022-42797 // JVNDB: JVNDB-2022-020125 // VULHUB: VHN-439578 // VULMON: CVE-2022-42797 // PACKETSTORM: 169735

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lt	version:	14.1	Trust: 1.0
vendor:	アップル	model:	xcode	scope:	eq	version:	-	Trust: 0.8
vendor:	アップル	model:	xcode	scope:	eq	version:	14.1	Trust: 0.8

sources: JVNDB: JVNDB-2022-020125 // NVD: CVE-2022-42797

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-42797
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-42797
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202211-1892
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-42797
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-42797
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-020125 // CNNVD: CNNVD-202211-1892 // NVD: CVE-2022-42797

PROBLEMTYPE DATA

problemtype:	CWE-74	Trust: 1.1
problemtype:	injection (CWE-74) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-439578 // JVNDB: JVNDB-2022-020125 // NVD: CVE-2022-42797

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202211-1892

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202211-1892

PATCH

title:	HT213496 Apple Security update	url:	https://support.apple.com/en-us/HT213496	Trust: 0.8
title:	Apple Xcode Repair measures for injecting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=228032	Trust: 0.6

sources: JVNDB: JVNDB-2022-020125 // CNNVD: CNNVD-202211-1892

EXTERNAL IDS

db:	NVD	id:	CVE-2022-42797	Trust: 3.5
db:	JVNDB	id:	JVNDB-2022-020125	Trust: 0.8
db:	PACKETSTORM	id:	169735	Trust: 0.7
db:	AUSCERT	id:	ESB-2022.5479	Trust: 0.6
db:	CNNVD	id:	CNNVD-202211-1892	Trust: 0.6
db:	VULHUB	id:	VHN-439578	Trust: 0.1
db:	VULMON	id:	CVE-2022-42797	Trust: 0.1

sources: VULHUB: VHN-439578 // VULMON: CVE-2022-42797 // JVNDB: JVNDB-2022-020125 // PACKETSTORM: 169735 // CNNVD: CNNVD-202211-1892 // NVD: CVE-2022-42797

REFERENCES

url:	https://support.apple.com/en-us/ht213496	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42797	Trust: 0.9
url:	https://cxsecurity.com/cveshow/cve-2022-42797/	Trust: 0.6
url:	https://packetstormsecurity.com/files/169735/apple-security-advisory-2022-11-01-1.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5479	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://support.apple.com/en-us/ht201222.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-39260	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-29187	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://support.apple.com/ht213496.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-39253	Trust: 0.1

sources: VULHUB: VHN-439578 // VULMON: CVE-2022-42797 // JVNDB: JVNDB-2022-020125 // PACKETSTORM: 169735 // CNNVD: CNNVD-202211-1892 // NVD: CVE-2022-42797

CREDITS

Apple

Trust: 0.1

sources: PACKETSTORM: 169735

SOURCES

db:	VULHUB	id:	VHN-439578
db:	VULMON	id:	CVE-2022-42797
db:	JVNDB	id:	JVNDB-2022-020125
db:	PACKETSTORM	id:	169735
db:	CNNVD	id:	CNNVD-202211-1892
db:	NVD	id:	CVE-2022-42797

LAST UPDATE DATE

2024-08-14T12:39:44.501000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-439578	date:	2023-03-07T00:00:00
db:	VULMON	id:	CVE-2022-42797	date:	2023-02-27T00:00:00
db:	JVNDB	id:	JVNDB-2022-020125	date:	2023-10-31T07:24:00
db:	CNNVD	id:	CNNVD-202211-1892	date:	2023-03-08T00:00:00
db:	NVD	id:	CVE-2022-42797	date:	2023-03-07T21:39:08.970

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-439578	date:	2023-02-27T00:00:00
db:	VULMON	id:	CVE-2022-42797	date:	2023-02-27T00:00:00
db:	JVNDB	id:	JVNDB-2022-020125	date:	2023-10-31T00:00:00
db:	PACKETSTORM	id:	169735	date:	2022-11-08T13:42:03
db:	CNNVD	id:	CNNVD-202211-1892	date:	2022-11-01T00:00:00
db:	NVD	id:	CVE-2022-42797	date:	2023-02-27T20:15:12.463