CVE-2023-42893: Input Validation
Published Dec 11, 2023
·Updated
A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Monterey 12.7.2, macOS Ventura 13.6.3, iOS 17.2 and iPadOS 17.2, iOS 16.7.3 and iPadOS 16.7.3, tvOS 17.2, watchOS 10.2, macOS Sonoma 14.2. An app may be able to access protected user data.
Credit
an anonymous researcher, CVE-2023-42893, Mickey Jin@@patch1t, Marc Newlin(SkySafe), Koh M. Nakagawa@@tsunek0h, CVE-2023-38545, CVE-2023-38039, CVE-2023-38546, Yann GASCUEL(Alter Solutions), Anthony Cruz Tyrant Corp@@App, Wojciech Regula(SecuRing), Zhenjiang Zhao(Pangu Team), Qianxin, Junsung Lee, Meysam Firouzi@@R00tkitSMM, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Pan ZhenPeng@@Peterpan0927(STAR Labs SG Pte), Eloi Benoist-Vanderbeken@@elvanderb(Synacktiv), CVE-2023-3618, CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, CVE-2020-19190, Ron Masas(BreakPoint), Csaba Fitzl@@theevilbit(OffSec), Csaba Fitzl@@theevilbit(Offensive Security), Arsenii Kostromin (0x3c3e), Mattie Behrens, Joshua Jewett@@JoshJewett33, Zhongquan Li@@Guluisacat, Zhongquan Li@@Guluisacat(Dawn Security Lab of JingDong), CVE-2023-5344, Pwn2car, Zoom Offensive Security Team, Nan Wang@@eternalsakura13(360 Vulnerability Research Institute), rushikesh nandedkar, SungKwon Lee (Demon.Team), Noah Roskin-Frazee, Pr, Ivan Fratric(Google Project Zero), (Trend Micro Zero Day Initiative), Don Clarke, Kirin@@Pwnrin, CertiK SkyFall Team, Junsung Lee(Trend Micro Zero Day Initiative), pattern-f@@pattern_F_(Ant Security Light), an anonymous researcher(MIT CSAIL), (MIT CSAIL), Joseph Ravichandran@@0xjprx(MIT CSAIL), Pr(Bar), Pr(Hebrew University), EP, Nick Wellnhofer, Gil Pedersen, Dohyun Lee@@l33d0hyun, LFY@@secsys(Fudan University), Talal Haj Bakry(Mysk Inc), Tommy Mysk@@mysk_co(Mysk Inc), Daniel Zajork, Joshua Zajork, Meysam Firouzi@@R00tkitsmm(Trend Micro Zero Day Initiative), Andr.Ess, Adam Berry, Csaba Fitzl@@theevilbit(Kandji), LFY@@secsys, 小来来@@Smi1eSEC, yulige, Snoolie Keffaber@@0xilis, Robert Reichel, Srijan Poudel, CVE-2024-27806, Abhay Kailasia@@abhay_kailasia(Lakshmi Narain College of Technology Bhopal), Romy R., ajajfxhj, Maksymilian Motyl(Immunity Systems), Manfred Paul@@_manfp(Trend Micro's Zero Day Initiative), Emilio Cobos(Mozilla), Lukas Bernhard(CISPA Helmholtz Center for Information Security), Manfred Paul@@_manfp(Trend Micro Zero Day Initiative), Joe Rutkowski@@Joe12387(Crawless), @@abrahamjuliot, Jeff Johnson(underpassapp), Lucas Monteiro, Daniel Monteiro, Felipe Monteiro, Alexander Heinrich, SEEMOO, TU Darmstadt@@Sn0wfreeze, Shai Mishali@@freak4pc, Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), Minghao Lin(Baidu Security), (Baidu Security), Ye Zhang@@VAR10CK(Baidu Security), Ron Masas(Imperva), Scott Johnson(RIPEDA Consulting), Mykola Grymalyuk(RIPEDA Consulting), Jordy Witteman, Carlos Polop, Pedro Tôrres@@t0rr3sp3dr0, Narendra Bhati(Suma Soft Pvt), Shaheen Fazim, Pwn2car(Trend Micro's Zero Day Initiative), (Trend Micro's Zero Day Initiative), Michael DePlante@@izobashi(Trend Micro's Zero Day Initiative), Clément Lecigne(Google's Threat Analysis Group), rushikesh nandedka, Christopher Reynolds, Aymane Chabat, ARJUN S D, Andrew Goldberg(The McCombs School of Business), The University(Texas at Austin), Yiğit Can YILMAZ@@yilmazcanyigit(Offensive Security), (Offensive Security), Yiğit Can YILMAZ@@yilmazcanyigit, Jewel Lambert, Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), Apple
Affected Software
18 affected componentsFixes available
Apple macOS Sonoma<14.5
14.5
Apple tvOS<17.2
17.2
Apple WatchOS<10.2
10.2
Apple macOS Monterey<12.7.2
12.7.2
Apple macOS Ventura<13.6.3
13.6.3
Apple iOS<17.5
17.5
Apple iPadOS<17.5
17.5
Apple iOS<16.7.3
16.7.3
Apple iPadOS<16.7.3
16.7.3
Apple iPadOS<16.7.3
Apple iPadOS>=17.0<17.2
Apple iPhone OS<16.7.3
Apple iPhone OS>=17.0<17.2
Apple macOS>=12.0<12.7.2
Apple macOS>=13.0<13.6.3
Apple macOS>=14.0<14.2
Apple tvOS<17.2
Apple WatchOS<10.2
Event History
Dec 11, 2023
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Mar 28, 2024
CVE Published
via MITRE·03:39 PM
Data Sourced
via MITRE·03:39 PM
DescriptionWeakness
Data Sourced
via NVD·04:15 PM
DescriptionSeverityAffected Software
May 13, 2024
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2023-42893?
The severity of CVE-2023-42893 is classified as moderate due to its potential impact on permissions.
2
How do I fix CVE-2023-42893?
To address CVE-2023-42893, users should update to the latest versions of affected Apple products as specified in the advisory.
3
What Apple products are affected by CVE-2023-42893?
CVE-2023-42893 affects several Apple products, including macOS Monterey, macOS Ventura, iOS, iPadOS, tvOS, and watchOS.
4
When was CVE-2023-42893 addressed by Apple?
Apple addressed CVE-2023-42893 in updates released on specific dates, found in the release notes for each affected product.
5
Can an attacker exploit CVE-2023-42893 remotely?
Exploitation of CVE-2023-42893 typically requires local access to the device, reducing the risk of remote attacks.