Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-28206

Disclosure Date: April 10, 2023 •

CVE-2023-28206 CVSS v3 Base Score: 8.6

Exploited in the Wild

Reported by mkienow-r7 and 1 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.6 High

Impact Score:

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apple

Products

ipados,
iphone os,
macos

Exploited in the Wild

Reported by:

mkienow-r7 indicated sources as

Vendor Advisory (https://support.apple.com/en-us/HT213721)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/04/10/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: April 11, 2023 1:32pm UTC (1 year ago) • Edited 1 year ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2023/04/10/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:22am UTC (1 month ago)

References

Canonical

CVE-2023-28206 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28206)

Advisory

20230410 APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1 (http://seclists.org/fulldisclosure/2023/Apr/1)

20230410 APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1 (http://seclists.org/fulldisclosure/2023/Apr/2)

20230410 APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6 (http://seclists.org/fulldisclosure/2023/Apr/6)

20230410 APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5 (http://seclists.org/fulldisclosure/2023/Apr/5)

20230410 APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5 (http://seclists.org/fulldisclosure/2023/Apr/4)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

acceleratortroll (https://github.com/acceleratortroll/acceleratortroll) (Added by AKB Worker)

Miscellaneous

https://support.apple.com/en-us/HT213723

https://support.apple.com/en-us/HT213721

https://support.apple.com/en-us/HT213720

https://support.apple.com/en-us/HT213725

https://support.apple.com/en-us/HT213724

Rapid7

Unknown

CVE-2023-28206

Unknown

Unknown

Required

None

Local

CVE-2023-28206

Description