{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32893", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "assignerShortName": "apple", "dateUpdated": "2024-08-03T07:54:03.184Z", "dateReserved": "2022-06-09T00:00:00", "datePublished": "2022-08-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2022-10-30T00:00:00"}, "descriptions": [{"lang": "en", "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."}], "affected": [{"vendor": "Apple", "product": "Safari", "versions": [{"version": "unspecified", "lessThan": "15.6", "status": "affected", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "unspecified", "lessThan": "15.6", "status": "affected", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "unspecified", "lessThan": "12.5", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/HT213414"}, {"url": "https://support.apple.com/en-us/HT213412"}, {"url": "https://support.apple.com/en-us/HT213413"}, {"name": "[oss-security] 20220825 WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/08/25/5"}, {"name": "[oss-security] 20220826 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/08/26/2"}, {"name": "FEDORA-2022-eada5f24a0", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7SETAAXEPGNBMYKTUDFEZHS5LGSQ64QL/"}, {"name": "DSA-5220", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5220"}, {"name": "DSA-5219", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5219"}, {"name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/08/29/1"}, {"name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/08/29/2"}, {"name": "[debian-lts-announce] 20220830 [SECURITY] [DLA 3087-1] webkit2gtk security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00019.html"}, {"name": "GLSA-202208-39", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202208-39"}, {"name": "20220831 APPLE-SA-2022-08-31-1 iOS 12.5.6", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Aug/16"}, {"name": "[oss-security] 20220902 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/10"}, {"name": "FEDORA-2022-ddfeee50c9", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKJGV2EXVMYQW3OAJNI4WUTKKVMD2YYK/"}, {"name": "[oss-security] 20220913 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/09/13/1"}, {"name": "20221030 APPLE-SA-2022-10-27-13 watchOS 9", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Oct/49"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:54:03.184Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.apple.com/en-us/HT213414", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/en-us/HT213412", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/en-us/HT213413", "tags": ["x_transferred"]}, {"name": "[oss-security] 20220825 WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/08/25/5"}, {"name": "[oss-security] 20220826 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/08/26/2"}, {"name": "FEDORA-2022-eada5f24a0", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7SETAAXEPGNBMYKTUDFEZHS5LGSQ64QL/"}, {"name": "DSA-5220", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5220"}, {"name": "DSA-5219", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5219"}, {"name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/08/29/1"}, {"name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/08/29/2"}, {"name": "[debian-lts-announce] 20220830 [SECURITY] [DLA 3087-1] webkit2gtk security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00019.html"}, {"name": "GLSA-202208-39", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-39"}, {"name": "20220831 APPLE-SA-2022-08-31-1 iOS 12.5.6", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/Aug/16"}, {"name": "[oss-security] 20220902 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/10"}, {"name": "FEDORA-2022-ddfeee50c9", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKJGV2EXVMYQW3OAJNI4WUTKKVMD2YYK/"}, {"name": "[oss-security] 20220913 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/09/13/1"}, {"name": "20221030 APPLE-SA-2022-10-27-13 watchOS 9", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/Oct/49"}]}]}}

{}

{"cisaActionDue": "2022-09-08", "cisaExploitAdd": "2022-08-18", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Apple iOS and macOS Out-of-Bounds Write Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8840E34-BF87-4C09-B13E-7FEC5F908EFD", "versionEndExcluding": "15.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "51963FF0-9D05-49D9-B9DD-D9A2D47EC89E", "versionEndExcluding": "15.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5AD4010-4607-4428-9E01-0AFEF95002EB", "versionEndExcluding": "15.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "7227696F-8862-4D88-B0B7-1098388791F3", "versionEndExcluding": "12.5.1", "versionStartIncluding": "12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA0CF181-BD0B-43B5-B5B6-9BB9B9D28BB9", "versionEndExcluding": "2.36.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "B24E9BF0-9726-4CED-A36F-3B1D72D14C31", "versionEndExcluding": "2.36.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."}, {"lang": "es", "value": "Se abord\u00f3 un problema de escritura fuera de l\u00edmites con una comprobaci\u00f3n de l\u00edmites mejorada. Este problema es corregido en iOS versi\u00f3n 15.6.1 y iPadOS versi\u00f3n 15.6.1, macOS Monterey versi\u00f3n 12.5.1 y Safari versi\u00f3n 15.6.1. El procesamiento de contenido web dise\u00f1ado de forma maliciosa puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitrario. Apple presenta conocimiento de un informe que indica que este problema puede haber sido explotado activamente."}], "id": "CVE-2022-32893", "lastModified": "2024-06-28T14:09:26.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-24T20:15:09.147", "references": [{"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Aug/16"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Oct/49"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/08/25/5"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/08/26/2"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/08/29/1"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/08/29/2"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/10"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/09/13/1"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00019.html"}, {"source": "product-security@apple.com", "tags": ["Broken Link"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7SETAAXEPGNBMYKTUDFEZHS5LGSQ64QL/"}, {"source": "product-security@apple.com", "tags": ["Broken Link"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKJGV2EXVMYQW3OAJNI4WUTKKVMD2YYK/"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-39"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT213412"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT213413"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT213414"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5219"}, {"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5220"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6540", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "webkit2gtk3-0:2.36.7-1.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-15T00:00:00Z"}, {"advisory": "RHSA-2022:6634", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "webkit2gtk3-0:2.36.7-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-20T00:00:00Z"}], "bugzilla": {"description": "webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution", "id": "2121645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2121645"}, "csaw": true, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20->CWE-787", "details": ["An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", "A flaw was found in webkitgtk. The vulnerability occurs due to improper input validation, leading to an out-of-bounds write. This flaw allows an attacker with network access to pass specially crafted web content files, causing arbitrary code execution."], "name": "CVE-2022-32893", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "webkitgtk", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "webkitgtk3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "webkitgtk4", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2022-08-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-32893\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32893\nhttps://webkitgtk.org/security/WSA-2022-0008.html\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "Since Red Hat Enterprise Linux 6 and 7 are Out-of-Support-Scope for Low/Moderate flaws, the issue is not currently planned to be addressed in future updates for RHEL-6,7. Only Important and Critical severity flaws will be addressed at this time.\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle & Updates Policy: https://access.redhat.com/support/policy/updates/errata/.", "threat_severity": "Moderate", "upstream_fix": "webkitgtk 2.36.7"}