Headline
CVE-2019-8703: About the security content of tvOS 13
This issue was addressed with improved entitlements. This issue is fixed in watchOS 6, tvOS 13, macOS Catalina 10.15, iOS 13. An application may be able to gain elevated privileges.
Released September 24, 2019
AppleFirmwareUpdateKext
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2019-8747: Mohamed Ghannam (@_simo36)
Entry added October 29, 2019
Audio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8706: Yu Zhou of Ant-Financial Light-Year Security Lab
Entry added October 29, 2019
Audio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8850: Anonymous working with Trend Micro Zero Day Initiative
Entry added December 4, 2019
CFNetwork
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: This issue was addressed with improved checks.
CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland
Entry added October 29, 2019
CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: Playing a malicious audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
Entry added November 6, 2019
CoreCrypto
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a large input may lead to a denial of service
Description: A denial of service issue was addressed with improved input validation.
CVE-2019-8741: Nicky Mouha of NIST
Entry added October 29, 2019
CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted movie may result in the disclosure of process memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
Entry added October 8, 2019
Foundation
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero
Entry added October 29, 2019
IOUSBDeviceFamily
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8718: Joshua Hill and Sem Voigtländer
Entry added October 29, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved entitlements.
CVE-2019-8703: an anonymous researcher
Entry added March 16, 2021
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2019-8740: Mohamed Ghannam (@_simo36)
Entry added October 29, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A local app may be able to read a persistent account identifier
Description: A validation issue was addressed with improved logic.
CVE-2019-8809: Apple
Entry added October 29, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8712: Mohamed Ghannam (@_simo36)
Entry added October 29, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to determine kernel memory layout
Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.
CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team
Entry added October 29, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)
Entry added October 29, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8717: Jann Horn of Google Project Zero
Entry added October 8, 2019
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to determine kernel memory layout
Description: The issue was addressed with improved permissions logic.
CVE-2019-8780: Siguza
Entry added October 8, 2019
Keyboards
Available for: Apple TV 4K and Apple TV HD
Impact: A local user may be able to leak sensitive user information
Description: An authentication issue was addressed with improved state management.
CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC
libxml2
Available for: Apple TV 4K and Apple TV HD
Impact: Multiple issues in libxml2
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2019-8749: found by OSS-Fuzz
CVE-2019-8756: found by OSS-Fuzz
Entry added October 8, 2019
libxslt
Available for: Apple TV 4K and Apple TV HD
Impact: Multiple issues in libxslt
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2019-8750: found by OSS-Fuzz
Entry added October 29, 2019
mDNSResponder
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications
Description: This issue was resolved by replacing device names with a random identifier.
CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt
Entry added October 29, 2019
UIFoundation
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
Entry added October 8, 2019
UIFoundation
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
Entry added November 18, 2019
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved state management.
CVE-2019-8625: Sergei Glazunov of Google Project Zero
CVE-2019-8719: Sergei Glazunov of Google Project Zero
CVE-2019-8764: Sergei Glazunov of Google Project Zero
Entry added October 8, 2019, updated October 29, 2019
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-8707: an anonymous researcher working with Trend Micro’s Zero Day Initiative, cc working with Trend Micro Zero Day Initiative
CVE-2019-8710: found by OSS-Fuzz
CVE-2019-8726: Jihui Lu of Tencent KeenLab
CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation
CVE-2019-8733: Sergei Glazunov of Google Project Zero
CVE-2019-8734: found by OSS-Fuzz
CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi’anxin Group
CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech
CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech
CVE-2019-8763: Sergei Glazunov of Google Project Zero
CVE-2019-8765: Samuel Groß of Google Project Zero
CVE-2019-8766: found by OSS-Fuzz
CVE-2019-8773: found by OSS-Fuzz
Entry added October 8, 2019, updated October 29, 2019
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A validation issue was addressed with improved logic.
CVE-2019-8762: Sergei Glazunov of Google Project Zero
Entry added November 18, 2019
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2020-9932: Dongzhuo Zhao working with ADLab of Venustech
Entry added July 28, 2020
Wi-Fi
Available for: Apple TV 4K and Apple TV HD
Impact: A device may be passively tracked by its Wi-Fi MAC address
Description: A user privacy issue was addressed by removing the broadcast MAC address.
CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation
Entry added December 4, 2019