SB2023012338 - Multiple vulnerabilities in Apple iOS 15 and iPadOS 15

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2023-23500)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the OS kernel. A local application can trigger an out-of-bounds read error and read contents of memory on the system.

2) Buffer overflow (CVE-ID: CVE-2023-23504)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with kernel privileges.

3) Information disclosure (CVE-ID: CVE-2023-23498)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in Mail Drafts implementation when forwarding emails. The quoted original message may be selected from the wrong email when forwarding an email from an Exchange account and lead to information disclosure.

4) Information disclosure (CVE-ID: CVE-2023-23503)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a logic issue in Maps application. A local application can bypass Privacy preferences.

5) Information disclosure (CVE-ID: CVE-2023-23505)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a privacy issue in Screen Time. A local application can gain unauthorized access to user's contact information.

Remediation

Install update from vendor's website.

References

• https://support.apple.com/en-us/HT213598