CVE-2019-8789

A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 13.2 and iPadOS 13.2, macOS Catalina 10.15.1. Parsing a maliciously crafted iBooks file may lead to disclosure of user information.

CVSS v3 5.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.apple.com/HT210721	Vendor Advisory
https://support.apple.com/HT210722	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:mac_os_x::::::::

History

No history.

Information

Published : 2019-12-18 18:15

Updated : 2024-02-28 17:28

NVD link : CVE-2019-8789

Mitre link : CVE-2019-8789

CVE.ORG link : CVE-2019-8789

JSON object : View

Products Affected

apple

mac_os_x
iphone_os
ipados

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2019-8789", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2019-12-18T18:15:41.520", "references": [{"url": "https://support.apple.com/HT210721", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT210722", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 13.2 and iPadOS 13.2, macOS Catalina 10.15.1. Parsing a maliciously crafted iBooks file may lead to disclosure of user information."}, {"lang": "es", "value": "Se present\u00f3 un problema de comprobaci\u00f3n en el manejo de enlaces simb\u00f3licos. Este problema fue abordado con una comprobaci\u00f3n mejorada de los enlaces simb\u00f3licos. Este problema es corregido en iOS versi\u00f3n 13.2 y iPadOS versi\u00f3n 13.2, macOS Catalina versi\u00f3n 10.15.1. Analizar un archivo iBooks dise\u00f1ado maliciosamente puede conllevar a una divulgaci\u00f3n de informaci\u00f3n del usuario."}], "lastModified": "2019-12-23T14:44:25.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD59FD8B-5C11-469A-91E8-B3EB904AB1EF", "versionEndExcluding": "13.2"}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13864229-C006-4C72-AAE3-90F009375CA5", "versionEndExcluding": "13.2"}, {"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E773457A-E670-4DDA-86E2-0923C1DCD9BA", "versionEndExcluding": "10.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@apple.com"}