8.8

CVE-2021-30665

Warning

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

Data is provided by the National Vulnerability Database (NVD)
AppleiPadOS Version < 14.5.1
AppleiPhone OS Version < 12.5.3
AppleiPhone OS Version >= 13.0 < 14.5.1
ApplemacOS Version < 11.3.1
AppletvOS Version < 14.6
ApplewatchOS Version < 7.4.1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apple Multiple Products WebKit Memory Corruption Vulnerability

Vulnerability

Apple iOS, iPadOS, macOS, watchOS, and tvOS WebKit contain a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.76% 0.724
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://support.apple.com/en-us/HT212532
Vendor Advisory
Release Notes
https://support.apple.com/en-us/HT212341
Vendor Advisory
Release Notes
https://support.apple.com/en-us/HT212335
Vendor Advisory
Release Notes
https://support.apple.com/en-us/HT212336
Vendor Advisory
Release Notes
https://support.apple.com/en-us/HT212339
Vendor Advisory
Release Notes