CVE-2018-4175: Input Validation

Q: What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2018-4175.

Q: What products are affected by this vulnerability?

macOS High Sierra before version 10.13.4, Sierra, and El Capitan are affected by this vulnerability.

Q: What is the severity of CVE-2018-4175?

The severity of CVE-2018-4175 is high with a CVSS score of 7.8.

Q: How can attackers exploit this vulnerability?

Attackers can exploit this vulnerability by bypassing the code-signing protection mechanism via a crafted app.

Q: Is there a fix available for this vulnerability?

Yes, the fix for this vulnerability is available in macOS version 10.13.4 and above.

Published Mar 29, 2018

Updated

LaunchServices. A logic issue was addressed with improved validation.

Other sources

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "LaunchServices" component. It allows attackers to bypass the code-signing protection mechanism via a crafted app.

Credit

Theodor Ragnar Gislason(Syndis)

Affected Software

4 affected componentsFixes available

Apple macOS High Sierra<10.13.4

10.13.4

Apple Sierra

Apple El Capitan

Apple iOS and macOS<10.13.4

Event History

Apr 3, 2018

CVE Published

via MITRE·06:00 AM

Data Sourced

via MITRE·06:00 AM

Description

Parent advisories

This vulnerability appears in the following advisories.

HT208692

Frequently Asked Questions

What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2018-4175.

What products are affected by this vulnerability?

macOS High Sierra before version 10.13.4, Sierra, and El Capitan are affected by this vulnerability.

What is the severity of CVE-2018-4175?

The severity of CVE-2018-4175 is high with a CVSS score of 7.8.

How can attackers exploit this vulnerability?