In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

Overview

Comment:

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\].

Downloads:

Tarball | ZIP archive | SQL archive

Timelines:

family | ancestors | descendants | both | trunk

Files:

files | file ages | folders

SHA3-256:

10fa79d00f8091e5748c245f4cae5b5f499a5f8db20da741c130e05a21ede443

User & Date:

drh on 2020-06-15 13:51:34

Other Links:

manifest | tags

Context

2021-07-12

15:00

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\]. This fix is associated with CVE-2020-15358. (Leaf check-in: bcd014c4 user: dan tags: branch-3.32a)

14:38

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\]. This fix is associated with CVE-2020-15358. (check-in: 9e001b63 user: dan tags: branch-3.28a)

2020-06-17

12:37

Merge miscellaneous fixes from trunk into the 3.32 branch. (check-in: d55b8e79 user: drh tags: branch-3.32)

2020-06-15

14:38

Fix the --enable-update-limit option to ./configure. (check-in: d31fd57e user: drh tags: trunk)

13:51

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\]. (check-in: 10fa79d0 user: drh tags: trunk)

2020-06-14

13:40

Check-in \[1d4f86201dab9a22\] changed a testcase() to an assert() because we didn't know how to reach that condition any more. But YongHeng's fuzzer found a way. So now we change it back. Ticket \[9fb26d37cefaba40\]. (check-in: 90b1169d user: drh tags: trunk)

Changes

Modified src/select.c from \[1a791ad4\] to \[6ddd86a7\].

︙

︙

2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714

        pLimit = p->pLimit;
        p->pLimit = 0;
        uniondest.eDest = op;
        ExplainQueryPlan((pParse, 1, "%s USING TEMP B-TREE",
                          selectOpName(p->op)));
        rc = sqlite3Select(pParse, p, &uniondest);
        testcase( rc!=SQLITE\_OK );
        /\* Query flattening in sqlite3Select() might refill p->pOrderBy.
        \*\* Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. \*/
        sqlite3ExprListDelete(db, p->pOrderBy);        pDelete = p->pPrior;
        p->pPrior = pPrior;
        p->pOrderBy = 0;
        if( p->op==TK\_UNION ){
          p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);
        }
        sqlite3ExprDelete(db, p->pLimit);

<
<
|

2698
2699
2700
2701
2702
2703
2704

2705
2706
2707
2708
2709
2710
2711
2712

        pLimit = p->pLimit;
        p->pLimit = 0;
        uniondest.eDest = op;
        ExplainQueryPlan((pParse, 1, "%s USING TEMP B-TREE",
                          selectOpName(p->op)));
        rc = sqlite3Select(pParse, p, &uniondest);
        testcase( rc!=SQLITE\_OK );

        assert( p->pOrderBy\==0 );        pDelete = p->pPrior;
        p->pPrior = pPrior;
        p->pOrderBy = 0;
        if( p->op==TK\_UNION ){
          p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);
        }
        sqlite3ExprDelete(db, p->pLimit);

︙

︙

4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101

    \*\*   SELECT a+5, b\*10 FROM (SELECT x\*3 AS a, y+10 AS b FROM t1) WHERE a>b;
    \*\*   \\                     \\\_\_\_\_\_\_\_\_\_\_\_\_\_ subquery \_\_\_\_\_\_\_\_\_\_/          /
    \*\*    \\\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ outer query \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_/
    \*\*
    \*\* We look at every expression in the outer query and every place we see
    \*\* "a" we substitute "x\*3" and every place we see "b" we substitute "y+10".
    \*/
    if( pSub->pOrderBy ){      /\* At this point, any non-zero iOrderByCol values indicate that the
      \*\* ORDER BY column expression is identical to the iOrderByCol'th
      \*\* expression returned by SELECT statement pSub. Since these values
      \*\* do not necessarily correspond to columns in SELECT statement pParent,
      \*\* zero them before transfering the ORDER BY clause.
      \*\*
      \*\* Not doing this may cause an error if a subsequent call to this

|

4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099

    \*\*   SELECT a+5, b\*10 FROM (SELECT x\*3 AS a, y+10 AS b FROM t1) WHERE a>b;
    \*\*   \\                     \\\_\_\_\_\_\_\_\_\_\_\_\_\_ subquery \_\_\_\_\_\_\_\_\_\_/          /
    \*\*    \\\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ outer query \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_/
    \*\*
    \*\* We look at every expression in the outer query and every place we see
    \*\* "a" we substitute "x\*3" and every place we see "b" we substitute "y+10".
    \*/
    if( pSub->pOrderBy && (pParent->selFlags & SF\_NoopOrderBy)==0 ){      /\* At this point, any non-zero iOrderByCol values indicate that the
      \*\* ORDER BY column expression is identical to the iOrderByCol'th
      \*\* expression returned by SELECT statement pSub. Since these values
      \*\* do not necessarily correspond to columns in SELECT statement pParent,
      \*\* zero them before transfering the ORDER BY clause.
      \*\*
      \*\* Not doing this may cause an error if a subsequent call to this

︙

︙

5787
5788
5789
5790
5791
5792
5793

5794
5795
5796
5797
5798
5799
5800

           pDest->eDest==SRT\_Queue  || pDest->eDest==SRT\_DistFifo ||
           pDest->eDest==SRT\_DistQueue || pDest->eDest==SRT\_Fifo);
    /\* If ORDER BY makes no difference in the output then neither does
    \*\* DISTINCT so it can be removed too. \*/
    sqlite3ExprListDelete(db, p->pOrderBy);
    p->pOrderBy = 0;
    p->selFlags &= ~SF\_Distinct;

  }
  sqlite3SelectPrep(pParse, p, 0);
  if( pParse->nErr || db->mallocFailed ){
    goto select\_end;
  }
  assert( p->pEList!=0 );
#if SELECTTRACE\_ENABLED

>

5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799

           pDest->eDest==SRT\_Queue  || pDest->eDest==SRT\_DistFifo ||
           pDest->eDest==SRT\_DistQueue || pDest->eDest==SRT\_Fifo);
    /\* If ORDER BY makes no difference in the output then neither does
    \*\* DISTINCT so it can be removed too. \*/
    sqlite3ExprListDelete(db, p->pOrderBy);
    p->pOrderBy = 0;
    p->selFlags &= ~SF\_Distinct;
    p->selFlags |= SF\_NoopOrderBy;  }
  sqlite3SelectPrep(pParse, p, 0);
  if( pParse->nErr || db->mallocFailed ){
    goto select\_end;
  }
  assert( p->pEList!=0 );
#if SELECTTRACE\_ENABLED

︙

︙

Modified src/sqliteInt.h from \[fe320867\] to \[abf448e9\].

︙

︙

3118
3119
3120
3121
3122
3123
3124

3125
3126
3127
3128
3129
3130
3131

#define SF\_MaybeConvert  0x0008000 /\* Need convertCompoundSelectToSubquery() \*/
#define SF\_Converted     0x0010000 /\* By convertCompoundSelectToSubquery() \*/
#define SF\_IncludeHidden 0x0020000 /\* Include hidden columns in output \*/
#define SF\_ComplexResult 0x0040000 /\* Result contains subquery or function \*/
#define SF\_WhereBegin    0x0080000 /\* Really a WhereBegin() call.  Debug Only \*/
#define SF\_WinRewrite    0x0100000 /\* Window function rewrite accomplished \*/
#define SF\_View          0x0200000 /\* SELECT statement is a view \*/


/\*
\*\* The results of a SELECT can be distributed in several ways, as defined
\*\* by one of the following macros.  The "SRT" prefix means "SELECT Result
\*\* Type".
\*\*
\*\*     SRT\_Union       Store results as a key in a temporary index

>

3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132

#define SF\_MaybeConvert  0x0008000 /\* Need convertCompoundSelectToSubquery() \*/
#define SF\_Converted     0x0010000 /\* By convertCompoundSelectToSubquery() \*/
#define SF\_IncludeHidden 0x0020000 /\* Include hidden columns in output \*/
#define SF\_ComplexResult 0x0040000 /\* Result contains subquery or function \*/
#define SF\_WhereBegin    0x0080000 /\* Really a WhereBegin() call.  Debug Only \*/
#define SF\_WinRewrite    0x0100000 /\* Window function rewrite accomplished \*/
#define SF\_View          0x0200000 /\* SELECT statement is a view \*/
#define SF\_NoopOrderBy   0x0400000 /\* ORDER BY is ignored for this query \*/
/\*
\*\* The results of a SELECT can be distributed in several ways, as defined
\*\* by one of the following macros.  The "SRT" prefix means "SELECT Result
\*\* Type".
\*\*
\*\*     SRT\_Union       Store results as a key in a temporary index

︙

︙

Modified test/selectA.test from \[b8a590f6\] to \[68de5240\].

︙

︙

1442
1443
1444
1445
1446
1447
1448

1449

1450

  DROP TABLE IF EXISTS t2;
  CREATE TABLE t1(a INTEGER);
  CREATE TABLE t2(b TEXT);
  INSERT INTO t2(b) VALUES('12345');
  SELECT \* FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
} {12345}

finish\_test

>
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471

  DROP TABLE IF EXISTS t2;
  CREATE TABLE t1(a INTEGER);
  CREATE TABLE t2(b TEXT);
  INSERT INTO t2(b) VALUES('12345');
  SELECT \* FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
} {12345}

\# 2020-06-15 ticket 8f157e8010b22af0
#
reset\_db
do\_execsql\_test 7.1 {
  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
  CREATE VIEW t4 AS SELECT c3 FROM t3;
  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
}
do\_execsql\_test 7.2 {
  SELECT \* FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
} {123 123}
do\_execsql\_test 7.3 {
  SELECT \* FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
} {123 123}
do\_execsql\_test 7.4 {
  CREATE TABLE a(b);
  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
} {}

finish\_test

CVE-2020-15358: SQLite: Check-in [10fa79d0]

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests.

1.  Homepage
2.  Support
3.  Security Advisories
4.  Zyxel security advisory for vulnerabilities of CloudCNM SecuManager

Summary

Zyxel CloudCNM SecuManager software is affected by hardcoded credentials and missing authentication vulnerabilities. We’re currently working with our vendor to fix the issues and will reach out to individual customers directly to roll out the solution.

What is the vulnerability?

Multiple vulnerabilities were identified in Zyxel CloudCNM SecuManager, namely:

*   Hardcoded SSH server keys
*   Backdoors accounts in MySQL
*   Hardcoded certificate and backdoor access in Ejabberd
*   Open ZODB storage without authentication
*   MyZyxel 'Cloud' Hardcoded Secret
*   Hardcoded Secrets, APIs
*   Predefined passwords for admin accounts
*   Insecure management over the 'Cloud'
*   xmppCnrSender.py log escape sequence injection
*   xmppCnrSender.py no authentication and clear-text communication
*   Incorrect HTTP requests cause out of range access in Zope
*   XSS on the web interface
*   Private SSH key
*   Backdoor APIs
*   Backdoor management access and RCE
*   Pre-auth RCE with chrooted access

What products are vulnerable—and what should you do?

After a thorough investigation, we’ve confirmed that the vulnerabilities affect only CloudCNM SecuManager, a network management tool customized for specific customer demands. Other Zyxel products and services are NOT affected by the reported vulnerabilities.

CloudCNM SecuManager is co-developed with a third-party vendor. Zyxel has taken immediate action to work with the vendor to resolve the issues, making this our top priority. We’ll reach out to individual customers to roll out the solution once it becomes available.

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.

Source

https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#insecure-cloud

Revision history

2020-03-13: Initial release

CVE-2020-15336: Zyxel security advisory for vulnerabilities of CloudCNM SecuManager

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)

(@tomson)

Posts: 487

Honorable Member Support

We just released wpDiscuz 5.3.6 version for all who still use the old v5.3.5 version and don't want to update to current latest 7.x.x version.

We have got a report that, there is a security vulnerability issue in 5.3.5 version. This issue was fixed in the major update 7.x.x versions. However, we also fixed the issue for 5.x version users and released 5.3.6 version.

If you want to keep using the old 5.x version, just update it to the 5.3.6 version using this instruction:

1.  Deactivate delete the 5.3.5 version.
2.  Download the 5.3.6 verison: https://downloads.wordpress.org/plugin/wpdiscuz.5.3.6.zip
3.  Click the \[Add New\] button in Dashboard > Plugins admin page and upload/install the 5.3.6 installation zip file.

If you don't want to use old 5.x versions, just click the \[Update\] link on wpDiscuz plugin in Dashboard > Plugins admin page and update it to the latest version.

Posted : 12/06/2020 4:55 pm

CVE-2020-13640: Security vulnerability issue in 5.3.5 version, please update...

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Mayfly277 opened this issue

Jun 17, 2020

· 13 comments

**Comments**

**sqli as admin v1.2.12**

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

**To Reproduce**

Steps to reproduce the behavior:

call /cacti/color.php?action=export&header=false&filter=')<SQLI HERE>--+-

**Expected behavior**

change the following lines :  

$sql\_where = "WHERE (name LIKE '%" . get\_request\_var('filter') . "%'

    	/* form the 'where' clause for our main sql query */
    	if (get_request_var('filter') != '') {
    		$sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
    			OR hex LIKE '%" .  get_request_var('filter') . "%')";
    	} else {
    		$sql_where = '';
    }
    

You should do db_qstr('%' . get_request_var('filter') . '%') instead of '%" . get\_request\_var('filter') . "%.

**Additional context**

*   As the application accept stacked queries, this can easy lead to remote code execution by replacing the path\_php\_binary setting inside the database.

    GET /cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='touch+/tmp/sqli_from_rce;'+where+name='path_php_binary';--+- 
    

*   Then call host.php?action=reindex and get the shell\_exec called with the path\_php\_binary.  
    

Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?

I tried with that image which use the latest release : quantumobject/docker-cacti  
And the request :

    /cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`
    

Is getting back the users and hash.

The code on this function haven't change in 3 years:

But the filter change 11 months ago and that change bring the issue.

*   The actual code (1.12.x branch):

*   before the issue Non regular expression search filters don't support international characters #2839 fix the code (v1.2.6) seems to be not vulnerable :

This was resolved some time ago in the 1.2.x branch.

> This was resolved some time ago in the 1.2.x branch.

Would you have a commit reference int the 1.2.x branch which is fixing the issue?

No this is **NOT** fixed.  
I just tried with a fresh checkout of 1.2.x. and the exploit still work.  
Please reopen @TheWitness

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?

You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It's "git clone -b 1.2.x ...". It's not "branch 1.12.x, it's 1.2.x.

I'll be damned. Where did that come from. Re-opening. Thanks for being persistent.

From Code: color.php always process filter by function sanitize_search_string.  
And sanitize_search_string will drop char ', , ; and )\`.  
Why your env can get SQL result.

In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:

SELECT \*, 
        SUM(CASE WHEN local\_graph\_id\>0 THEN 1 ELSE 0 END) AS graphs, 
        SUM(CASE WHEN local\_graph\_id\=0 THEN 1 ELSE 0 END) AS templates 
    FROM (
        SELECT c.\*, local\_graph\_id 
        FROM colors AS c LEFT JOIN (
            SELECT color\_id, graph\_template\_id, local\_graph\_id FROM graph\_templates\_item WHERE color\_id\>0 
        ) AS gti ON c.id\=gti.color\_id 
    ) AS rs 
    WHERE (name LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %' 
            OR hex LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %') 
        AND read\_only\='on' 
    GROUP BY rs.id

 netniV changed the title \[security\] sqli as admin SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

Jul 12, 2020

CVE-2020-14295: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti

A CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary code to be executed when a malicious command is entered.

 ![Security Notification - U.motion Servers and Touch Panels (V1.2)](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-133-03&p_File_Type=big%20Thumbnail&default_image=DefaultProductImage.jpg "Security Notification - U.motion Servers and Touch Panels (V1.2)")![Security Notification - U.motion Servers and Touch Panels (V1.2)](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-133-03&p_File_Type=big%20Thumbnail&default_image=DefaultProductImage.jpg "Security Notification - U.motion Servers and Touch Panels (V1.2)")

Reference

 : 

SEVD-2020-133-03

Date

 : 

15/04/2021

Type

 : 

Technical leaflet

Languages :

English

Version :

1.2

Files

Size

SEVD-2020-133-03\_U.motion\_Servers\_and\_Touch\_Panels\_Notification\_V1.2 (.pdf)

242.8 kb

Download

Add to my Documents

CVE-2020-7500: Security Notification - U.motion Servers and Touch Panels (V1.2) | Schneider Electric

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

![@cowtowncoder](https://avatars.githubusercontent.com/u/55065?s=88&u=fdce6737a39cbda5176c8aa3bda56c2bf95190f0&v=4)

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue

May 8, 2020

![@cowtowncoder](https://avatars.githubusercontent.com/u/55065?s=60&u=fdce6737a39cbda5176c8aa3bda56c2bf95190f0&v=4) cowtowncoder changed the title Block one more gadget type (-) Block one more gadget type (apache-drill)

Jun 14, 2020

![@cowtowncoder](https://avatars.githubusercontent.com/u/55065?s=60&u=fdce6737a39cbda5176c8aa3bda56c2bf95190f0&v=4) cowtowncoder changed the title Block one more gadget type (apache-drill) Block one more gadget type (apache-drill, CVE-2020-14060)

Jun 14, 2020

qxo added a commit to qxo/jackson-databind that referenced this issue

Sep 21, 2020

![@qxo](https://avatars.githubusercontent.com/u/1813709?s=60&u=bd3d8d43e572bcb00db281c479a4171eb66abba1&v=4)

![@qxo](https://avatars.githubusercontent.com/u/1813709?s=60&u=bd3d8d43e572bcb00db281c479a4171eb66abba1&v=4) qxo mentioned this issue

Sep 21, 2020

cowtowncoder pushed a commit that referenced this issue

Sep 22, 2020

![@qxo](https://avatars.githubusercontent.com/u/1813709?s=60&u=bd3d8d43e572bcb00db281c479a4171eb66abba1&v=4)

 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

\`\`\`
PR\_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'\[ ,\]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#\[0-9\]+/)){print a;}}}' | sort | uniq);echo "$PR\_LIST" | wc -l
echo $PR\_LIST
\`\`\`

CVE-2020-14060: Block one more gadget type (apache-drill, CVE-2020-14060) · Issue #2688 · FasterXML/jackson-databind

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

Blog

*   Home
*   Products & Technology
*   Company
*   HashiCorp Voices
*   All

![Vault Logo](data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjA4IiBoZWlnaHQ9Ijg4IiB2aWV3Qm94PSIwIDAgMjA4IDg4IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxwYXRoIGQ9Ik0xMTQuODQ5IDIzLjY5aDcuOTJMMTEwLjY5OSA2NGgtMTEuMjVsLTEyLTQwLjI4aDcuOTJsOS43NCAzMy41NyA5Ljc0LTMzLjZ6TTE0NC43NSA2NGgtNmwtLjU1LTJhMTYuMTIgMTYuMTIgMCAwMS04Ljc3IDIuNmMtNS4zOCAwLTcuNjgtMy42OS03LjY4LTguNzcgMC02IDIuNi04LjI5IDguNTktOC4yOWg3LjA4di0zLjFjMC0zLjI3LS45MS00LjQyLTUuNjMtNC40MmE0MC43MSA0MC43MSAwIDAwLTguMTYuOTFsLS45MS01LjYzYTM4LjY3OCAzOC42NzggMCAwMTEwLjEtMS4zOWM5LjI1IDAgMTIgMy4yNyAxMiAxMC42NUwxNDQuNzUgNjR6bS03LjM3LTExLjEzaC01LjQ1Yy0yLjQyIDAtMy4wOC42Ny0zLjA4IDIuOTEgMCAyIC42NiAzIDMgM2ExMS43MiAxMS43MiAwIDAwNS41Ny0xLjUxbC0uMDQtNC40em0xOC45OTItMTguMzV2MjAuNTZjMCAxLjU3LjY2IDIuMzYgMi4zNiAyLjM2IDEuNyAwIDUtMS4wOSA3LjY4LTIuNDhWMzQuNTJoNy4zOFY2NGgtNS42M2wtLjcyLTIuNDhhMjkuNDM3IDI5LjQzNyAwIDAxLTExLjggMy4wOWMtNC45IDAtNi42NS0zLjQ1LTYuNjUtOC43MVYzNC41Mmg3LjM4ek0xNzcuNzE5IDY0VjIyLjQ4bDcuMzgtMVY2NGgtNy4zOHptMjkuMzg4LS41N2EyMC42MTggMjAuNjE4IDAgMDEtNi40NyAxLjE1Yy01LjM4IDAtOC4xMS0yLjU0LTguMTEtNy44di0xNi40aC00LjQxdi01Ljg2aDQuNDFWMjcuMmw3LjM4LTF2OC4zNWg3LjU2bC0uNDggNS44NmgtNy4wOHYxNS40YTIuMzIzIDIuMzIzIDAgMDAxLjU5NiAyLjUxNGMuMzQ0LjExLjcwOC4xNCAxLjA2NC4wODVhMTMuOTE5IDEzLjkxOSAwIDAwMy42OS0uNjFsLjg1IDUuNjN6TTAgMTIuNmwzMS44NSA2My45Mkw2My45MiAxMi42SDB6bTM1LjYzIDEyLjgzaDMuNzF2My43MWgtMy43MXYtMy43MXptLTcuMzggMTQuODJoLTMuN3YtMy43aDMuN3YzLjd6bTAtNS41NmgtMy43VjMxaDMuN3YzLjY5em0wLTUuNTVoLTMuN3YtMy43MWgzLjd2My43MXptNS42IDE2LjY3aC0zLjdWNDIuMWgzLjd2My43MXptMC01LjU2aC0zLjd2LTMuN2gzLjd2My43em0wLTUuNTZoLTMuN1YzMWgzLjd2My42OXptMC01LjU1aC0zLjd2LTMuNzFoMy43djMuNzF6TTM1LjYzIDMxaDMuNzF2My43aC0zLjcxVjMxem0wIDkuMjZ2LTMuN2gzLjcxdjMuN2gtMy43MXoiIGZpbGw9IiNmZmYiLz48L3N2Zz4=)

Vault is a platform for centralized secrets management, encryption as a service, and identity-based access.

Subscribe to Vault RSS

November 17 2021 | Products & Technology

**Announcing HashiCorp Vault 1.9**

Vault 1.9 can act as an OIDC provider, includes general availability of a key management secrets engine for Google Cloud, and updates to Transform, Namespaces, and the UI.

![Announcing HashiCorp Vault 1.9](https://www.datocms-assets.com/2885/1620082983-blog-library-product-vault-dark-graphics.jpg)

![Integrating Azure AD Identity with HashiCorp Vault — Part 3: Azure Managed Identity Auth via Azure Auth Method](https://www.datocms-assets.com/2885/1608228062-blog-library-product-vault-azure.png)

February 11 2022 | Products & Technology

**Integrating Azure AD Identity with HashiCorp Vault — Part 3: Azure Managed Identity Auth via Azure Auth Method**

Learn how to achieve machine authentication to HashiCorp Vault with the Azure auth method using Microsoft Azure managed identity — and set it up with Terraform.

![HCP Vault Observability at Scale Using Datadog’s Vector](https://www.datocms-assets.com/2885/1643669249-hcpv-vector.png)

February 02 2022 | Company

**HCP Vault Observability at Scale Using Datadog’s Vector**

Get technical insight into how HCP Vault uses Datadog’s Vector integration to meet the observability needs of customers.

![Enabling Transparent Data Encryption for Microsoft SQL with Vault](https://www.datocms-assets.com/2885/1620083006-blog-library-product-vault-dark-gradient.jpg)

February 01 2022 | Products & Technology

**Enabling Transparent Data Encryption for Microsoft SQL with Vault**

Learn how HashiCorp Vault can help secure data in Microsoft SQL Server using a defense-in-depth encryption strategy.

![Kubernetes Vault Integration via Sidecar Agent Injector vs. CSI Provider](https://www.datocms-assets.com/2885/1608227983-blog-library-product-kubernetes-vault.png)

January 26 2022 | Products & Technology

**Kubernetes Vault Integration via Sidecar Agent Injector vs. CSI Provider**

A detailed comparison of two HashiCorp-supported methods for HashiCorp Vault and Kubernetes integration.

![How to Adopt a Producer-Consumer Model for HashiCorp Vault](https://www.datocms-assets.com/2885/1620083006-blog-library-product-vault-dark-gradient.jpg)

January 19 2022 | Products & Technology

**How to Adopt a Producer-Consumer Model for HashiCorp Vault**

Learn our best practices and get customer-tested templates that help HashiCorp Vault users adopt efficient producer-consumer models.

![HashiCorp’s Security and Compliance Program Takes Another Step Forward](https://www.datocms-assets.com/2885/1600142862-blog-library-product-hashicorp.png)

January 14 2022 | Products & Technology

**HashiCorp’s Security and Compliance Program Takes Another Step Forward**

HashiCorp has renewed its SOC II Type II report for HCP Vault and HCP Consul, and obtained ISO 27017 and ISO 27018 certificates for its cloud products.

CVE-2020-13223: HashiCorp Blog: Vault

A race condition was addressed with improved state handling. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. An application may be able to gain elevated privileges.

Released May 20, 2020

**Accounts**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt

**AirDrop**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9826: Dor Hadad of Palo Alto Networks

**AppleMobileFileIntegrity**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application could interact with system processes to access private information and perform privileged actions

Description: An entitlement parsing issue was addressed with improved parsing.

CVE-2020-9842: Linus Henze (pinauten.de)

**Audio**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Audio**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Bluetooth**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.

CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab

**Bluetooth**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9838: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab

**CoreText**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted text message may lead to application denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam’s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com

**FaceTime**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing

Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.

CVE-2020-9835: Olivier Levesque (@olilevesque)

**File System**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to modify the file system

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9820: Thijs Alkemade of Computest

**FontParser**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9816:  Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**ImageIO**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**IPSec**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9837: Thijs Alkemade of Computest

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to determine another application's memory layout

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2020-9797: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local user may be able to read kernel memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9811: Tielei Wang of Pangu Lab

CVE-2020-9812: derrek (@derrekr6)

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2020-9813: Xinru Chi of Pangu Lab

CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9809: Benjamin Randazzo (@\_\_\_\_benjamin)

**libxpc**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-9994: Apple

Entry added September 21, 2020

**Mail**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted mail message may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-9819: ZecOps.com

**Mail**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9818: ZecOps.com

**Messages**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Users removed from an iMessage conversation may still be able to alter state

Description: This issue was addressed with improved checks.

CVE-2020-9823: Suryansh Mansharamani, student of Community Middle School, Plainsboro, New Jersey

**Notifications**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A person with physical access to an iOS device may be able to view notification contents from the lockscreen

Description: An authorization issue was addressed with improved state management.

CVE-2020-9848: Nima

**rsync**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to overwrite existing files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2014-9512: gaojianfeng

Entry added July 28, 2020

**Sandbox**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to bypass Privacy preferences

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)

**Security**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved validation.

CVE-2020-9854: Ilias Morad (A2nkF)

Entry added July 28, 2020

**SQLite**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**System Preferences**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9839: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**USB Audio**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A USB device may be able to cause a denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9792: Andy Davis of NCC Group

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9805: an anonymous researcher

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9802: Samuel Groß of Google Project Zero

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9850: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9843: Ryan Pickren (ryanpickren.com)

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9803: Wen Xu of SSLab at Georgia Tech

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9806: Wen Xu of SSLab at Georgia Tech

CVE-2020-9807: Wen Xu of SSLab at Georgia Tech

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: An access issue was addressed with improved memory management.

CVE-2019-20503: natashenka of Google Project Zero

**Wi-Fi**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A double free issue was addressed with improved memory management.

CVE-2020-9844: Ian Beer of Google Project Zero

**Wi-Fi**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9830: Tielei Wang of Pangu Lab

Entry added August 10, 2020

CVE-2020-9839: About the security content of iOS 13.5 and iPadOS 13.5

A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Catalina 10.15.5. A malicious application may be able to gain root privileges.

Released May 26, 2020

**Accounts**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt

**Accounts**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

**AirDrop**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9826: Dor Hadad of Palo Alto Networks

**AppleMobileFileIntegrity**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A malicious application could interact with system processes to access private information and perform privileged actions

Description: An entitlement parsing issue was addressed with improved parsing.

CVE-2020-9842: Linus Henze (pinauten.de)

**AppleUSBNetworking**

Available for: macOS Catalina 10.15.4

Impact: Inserting a USB device that sends invalid messages may cause a kernel panic

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9804: Andy Davis of NCC Group

**Audio**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Audio**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Bluetooth**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9831: Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9779: Yu Wang of Didi Research America

Entry added September 21, 2020

**Calendar**

Available for: macOS Catalina 10.15.4

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: This issue was addressed with improved checks.

CVE-2020-3882: Andy Grant of NCC Group

**CoreBluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A remote attacker may be able to leak sensitive user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab

**CVMS**

Available for: macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2020-9856: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**DiskArbitration**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to break out of its sandbox

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9847: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud (bugcloud.360.cn)

**Find My**

Available for: macOS Catalina 10.15.4

Impact: A local attacker may be able to elevate their privileges

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2020-9855: Zhongcheng Li(CK01) of Topsec Alpha Team

**FontParser**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9816:  Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**ImageIO**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9822: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9796: ABC Research s.r.o.

Entry added July 28, 2020

**IPSec**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9837: Thijs Alkemade of Computest

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine another application's memory layout

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2020-9797: an anonymous researcher

**Kernel**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A local user may be able to read kernel memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9811: Tielei Wang of Pangu Lab

CVE-2020-9812: derrek (@derrekr6)

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2020-9813: Xinru Chi of Pangu Lab

CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9809: Benjamin Randazzo (@\_\_\_\_benjamin)

**ksh**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local user may be able to execute arbitrary shell commands

Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation.

CVE-2019-14868

**libxpc**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-9994: Apple

Entry added September 21, 2020

**NSURL**

Available for: macOS Mojave 10.14.6

Impact: A malicious website may be able to exfiltrate autofilled data in Safari

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2020-9857: Dlive of Tencent Security Xuanwu Lab

**PackageKit**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to gain root privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-9817: Andy Grant of NCC Group

**PackageKit**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to modify protected parts of the file system

Description: An access issue was addressed with improved access restrictions.

CVE-2020-9851: an anonymous researcher, Linus Henze (pinauten.de)

Entry updated July 15, 2020

**Python**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-9793

**rsync**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to overwrite existing files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2014-9512: gaojianfeng

Entry added July 28, 2020

**Sandbox**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to bypass Privacy preferences

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)

**Sandbox**

Available for: macOS Mojave 10.14.6

Impact: A user may gain access to protected parts of the file system

Description: This issue was addressed with a new entitlement.

CVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: macOS Catalina 10.15.4

Impact: A file may be incorrectly rendered to execute JavaScript

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9788: Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated July 15, 2020

**Security**

Available for: macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved validation.

CVE-2020-9854: Ilias Morad (A2nkF)

Entry added July 28, 2020

**SIP**

Available for: macOS Catalina 10.15.4

Impact: A non-privileged user may be able to modify restricted network settings

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9824: @jamestraynor, Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated June 10, 2020

**Software Update**

Available for: macOS Catalina 10.15.4

Impact: A person with physical access to a Mac may be able to bypass Login Window

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9810: Francis @francisschmaltz

Entry added July 15, 2020

**SQLite**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**System Preferences**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9839: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**USB Audio**

Available for: macOS Catalina 10.15.4

Impact: A USB device may be able to cause a denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9792: Andy Davis of NCC Group

**Wi-Fi**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A double free issue was addressed with improved memory management.

CVE-2020-9844: Ian Beer of Google Project Zero

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9830: Tielei Wang of Pangu Lab

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-9834: Yu Wang of Didi Research America

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-9833: Yu Wang of Didi Research America

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9832: Yu Wang of Didi Research America

**WindowServer**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2020-9841: ABC Research s.r.o. working with Trend Micro Zero Day Initiative

**zsh**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local attacker may be able to elevate their privileges

Description: An authorization issue was addressed with improved state management.

CVE-2019-20044: Sam Foxman

CVE-2020-9817: About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.

Tag

#sql