CVE-2024-54488: Medium severity apple macOS Ventura vulnerability
Published Dec 11, 2024
·Updated
A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. Photos in the Hidden Photos Album may be viewed without authentication.
Other sources
Accounts. A logic issue was addressed with improved file handling.
— Apple
Credit
Benjamin Hornbeck(ZUSO ART), Skadz@@skadz108(ZUSO ART), Chi Yuan Chang(ZUSO ART), taikosoup, Arsenii Kostromin (0x3c3e), an anonymous researcher, Wojciech Regula(SecuRing), Mickey Jin@@patch1t, Micheal Chukwu, Smi1e@@Smi1eSEC, Bistrit Dahal, Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Gary Kwong, Anonymous(Trend Micro Zero Day Initiative), Junsung Lee(Trend Micro Zero Day Initiative), Ye Zhang@@VAR10CK(Baidu Security), Joseph Ravichandran@@0xjprx(MIT CSAIL), sohybbyk, CVE-2024-45490, 风沐云烟@@binary_fmyy, Andrew James Gonzalez, Dragon Fruit Security (Davis Dai, ORAC 落云, Frank Du cooperative discovery), Abhay Kailasia@@abhay_kailasia(C), Rakeshkumar Talaviya, Tomomasa Hiraiwa, Talal Haj Bakry(Mysk Inc), Tommy Mysk@@mysk_co(Mysk Inc), Jacob Braun, Rei@@reizydev, Kenneth Chew, Michael DePlante@@izobashi(Trend Micro's Zero Day Initiative), CVE-2024-45306, Seunghyun Lee, Brendon Tiszka(Google Project Zero), linjy(HKUS3Lab), chluo(WHUSecLab), Xiangwei Zhang(Tencent Security YUNDING LAB), Tashita Software Security, Lukas Bernhard, Ben Roeder, Guilherme Rambo(Best Buddy Apps), Mickey Jin@@patch1t(Kandji), Csaba Fitzl@@theevilbit(Kandji), Dillon Franke(Google Project Zero), Michael Cohen, D’Angelo Gonzalez(CrowdStrike), Rodolphe BRUNETTI@@eisw0lf(Lupus Nova), Bohdan Stasiuk@@Bohdan_Stasiuk, Halle Winkler, Politepix (theoffcuts.org), Amy@@asentientbot, Rodolphe BRUNETTI@@eisw0lf, Kirin@@Pwnrin, Politepix theoffcuts.org, Trent Lloyd@@lathiat, D4m0n, CertiK SkyFall Team, 7feilee, Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Hyerean Jang, Taehun Kim, Youngjoo Shin, Meng Zhang (鲸落)(NorthSea), 神罚@@Pwnrin, CVE-2016-1246, CVE-2023-31484, CVE-2023-31486, CVE-2023-47100, Zhongquan Li@@Guluisacat, Yokesh Muthu K, Csaba Fitzl@@theevilbit(OffSec), Mickey Jin@@patch1t(Microsoft), Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft)
Affected Software
18 affected componentsFixes available
apple macOS Ventura<13.7.2
apple iOS<18.2
apple iPadOS<18.2
apple iPadOS<17.7.3
apple macOS Sonoma<14.7.2
apple macOS Sequoia<15.2
apple iPadOS<17.7.3
apple iPadOS>=18.0<18.2
apple iPhone OS<18.2
Apple macOS<13.7.2
Apple macOS>=14.0<14.7.2
Apple macOS>=15.0<15.2
apple iOS<18.2
18.2
apple iPadOS<18.2
18.2
apple iPadOS<17.7.3
17.7.3
apple macOS Sequoia<15.2
15.2
apple macOS Ventura<13.7.2
13.7.2
apple macOS Sonoma<14.7.2
14.7.2
Event History
Dec 11, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Jan 27, 2025
CVE Published
via MITRE·09:46 PM
Data Sourced
via MITRE·09:46 PM
DescriptionWeakness
Data Sourced
via NVD·10:15 PM
DescriptionSeverityWeaknessAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2024-54488
- CVE-2024-54541
- CVE-2024-40864
- CVE-2024-54526
- CVE-2024-54527
- CVE-2024-54503
- CVE-2024-54550
- CVE-2024-54513
- CVE-2024-54512
- CVE-2024-54486
- CVE-2024-54478
- CVE-2024-54499
- CVE-2024-54500
- CVE-2024-54517
- CVE-2024-54518
- CVE-2024-54522
- CVE-2024-54523
- CVE-2024-54468
- CVE-2024-54507
- CVE-2024-54494
- CVE-2024-54510
- CVE-2024-44245
- CVE-2024-45490
- CVE-2024-54514
- CVE-2024-44225
- CVE-2024-54525
- CVE-2024-54530
- CVE-2024-44276
- CVE-2024-54492
- CVE-2024-54497
- CVE-2024-44246
- CVE-2024-54542
- CVE-2024-54501
- CVE-2024-45306
- CVE-2024-54485
- CVE-2024-54479
- CVE-2024-54502
- CVE-2024-54508
- CVE-2024-54505
- CVE-2024-54534
- CVE-2024-54543
- CVE-2024-44201
- CVE-2025-24091
- CVE-2024-54477
- CVE-2024-54529
- CVE-2024-44300
- CVE-2024-54466
- CVE-2024-54489
- CVE-2024-54547
- CVE-2024-54474
- CVE-2024-54476
- CVE-2024-54537
- CVE-2024-44248
- CVE-2024-54557
- CVE-2024-54528
- CVE-2024-54498
- CVE-2024-44291
- CVE-2024-44224
- CVE-2024-54520
- CVE-2024-54475
- CVE-2024-54539
- CVE-2024-44220
- CVE-2024-54509
- CVE-2024-54519
- CVE-2024-54516
- CVE-2024-54495
- CVE-2024-54490
- CVE-2024-54568
- CVE-2024-44271
- CVE-2024-54506
- CVE-2024-54531
- CVE-2024-54465
- CVE-2024-54491
- CVE-2024-54484
- CVE-2024-54536
- CVE-2024-54504
- CVE-2016-1246
- CVE-2023-31484
- CVE-2023-31486
- CVE-2023-47100
- CVE-2023-32395
- CVE-2024-54559
- CVE-2024-54515
- CVE-2024-54524
- CVE-2024-54493
- CVE-2024-54533
- CVE-2024-44243
- CVE-2024-54549
- CVE-2024-54565
Frequently Asked Questions
1
What is the severity of CVE-2024-54488?
CVE-2024-54488 is classified as a critical vulnerability due to its potential to expose sensitive information.
2
How do I fix CVE-2024-54488?
To mitigate CVE-2024-54488, users should update to macOS Ventura 13.7.2, iOS 18.2, iPadOS 18.2, macOS Sonoma 14.7.2, or macOS Sequoia 15.2.
3
What does CVE-2024-54488 affect?
CVE-2024-54488 affects macOS Ventura, iOS, iPadOS, macOS Sonoma, and macOS Sequoia by allowing unauthorized access to Hidden Photos.
4
Is my Apple device vulnerable to CVE-2024-54488?
If your device is running an affected version prior to the fixes, it is vulnerable to CVE-2024-54488.
5
What type of issue is CVE-2024-54488?
CVE-2024-54488 is a logic issue related to improper file handling that can lead to unauthorized access of Photos.