CVE-2023-32399: Buffer Overflow
Published May 18, 2023
·Updated
Accessibility. A privacy issue was addressed with improved private data redaction for log entries.
Credit
Adam M., Kirin@@Pwnrin, Mickey Jin@@patch1t, Sergii Kryvoblotskyi(MacPaw Inc), ABC Research s.r.o., James Duffy (mangoSecure), Gerhard Muth, Dimitrios Tatsis(Cisco Talos), Zitong Wu (吴梓桐)(Zhuhai No), Meysam Firouzi@@R00tkitSMM(Mbition Mercedes), Meysam Firouzi@@R00tkitsmm(Trend Micro Zero Day Initiative), hou xuewei vmk msu@@p1ay8y3ar, CertiK SkyFall Team(Pinauten GmbH), Linus Henze(Pinauten GmbH), 08Tc3wBB(Jamf), Adam Doupé(ASU SEFCOM), Eloi Benoist-Vanderbeken@@elvanderb(Synacktiv), Wojciech Reguła@@_r3ggi(SecuRing), OSS-Fuzz(Google Project Zero), Ned Williamson(Google Project Zero), Jonathan Bar Or(Microsoft), Anurag Bohra(Microsoft), (Microsoft), Michael Pearse(Microsoft), Thijs Alkemade@@xnyhps(Computest Sector 7), Gergely Kalman@@gergely_kalman, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Thijs Alkemade(Computest Sector 7), Jonathan Fritz, Arsenii Kostromin (0x3c3e), Julian Szulc, Holger Fuhrmannek(Deutsche Telekom Security GmbH on behalf of BSI), Yiğit Can YILMAZ@@yilmazcanyigit(FFRI Security Inc), Koh M. Nakagawa(FFRI Security Inc), Kirin@@Pwnrin(Offensive Security), Jeff Johnson (underpassapp.com)(Offensive Security), (Offensive Security), Csaba Fitzl@@theevilbit(Offensive Security), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), Mickey Jin@@patch1t(Tencent Security Xuanwu Lab), Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), an anonymous researcher, Khiem Tran, Gergely Kalman@@gergely_kalman(SecuRing), (SecuRing), Wojciech Reguła(SecuRing), Yiğit Can YILMAZ@@yilmazcanyigit, CVE-2023-22809, Satish Panduranga, Ivan Fratric(Google Project Zero), Wojciech Regula(SecuRing), Ignacio Sanmillan@@ulexec, Clément Lecigne(Google's Threat Analysis Group), Donncha Ó Cearbhaill(Amnesty International), Pan ZhenPeng@@Peterpan0927(STAR Labs SG Pte), Mohamed GHANNAM@@_simo36, Amat Cama(Vigilant Labs), (Google Project Zero), Jiwon Park
Affected Software
10 affected componentsFixes available
Apple tvOS<16.5
16.5
Apple WatchOS<9.5
9.5
Apple macOS Ventura<13.4
13.4
Apple iOS<16.5
16.5
Apple iPadOS<16.5
16.5
Apple iPadOS<16.5
Apple iPhone OS<16.5
Apple macOS>=13.0<13.4
Apple tvOS<16.5
Apple WatchOS<9.5
Event History
May 18, 2023
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
Affected Software
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Jun 23, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Frequently Asked Questions
1
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-32399.
2
What is the severity of CVE-2023-32399?
The severity of CVE-2023-32399 is medium with a severity value of 5.5.
3
Which software versions are affected by CVE-2023-32399?
CVE-2023-32399 affects iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4.
4
How can an app read sensitive location information due to CVE-2023-32399?
An app may be able to read sensitive location information due to CVE-2023-32399.
5
How was CVE-2023-32399 fixed?
CVE-2023-32399 was fixed with improved handling of caches in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4.