certfr_avis - certfr-2022-avi-756

CERTFR-2022-AVI-756

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Apple Safari. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Apple indique que la vulnérabilité CVE-2022-32893 serait activement exploitée.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Apple	Safari	Safari versions antérieures à 15.6.1

References

Title

Publication Time

CVE-2022-32893 (GCVE-0-2022-32893)

Vulnerability from cvelistv5 – Published: 2022-08-24 00:00 – Updated: 2025-10-21 23:15

Summary

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Assigner

apple

References

URL

Tags

	https://support.apple.com/en-us/HT213414
	https://support.apple.com/en-us/HT213412
	https://support.apple.com/en-us/HT213413
	http://www.openwall.com/lists/oss-security/2022/08/25/5	mailing-list
	http://www.openwall.com/lists/oss-security/2022/08/26/2	mailing-list
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://www.debian.org/security/2022/dsa-5220	vendor-advisory
	https://www.debian.org/security/2022/dsa-5219	vendor-advisory
	http://www.openwall.com/lists/oss-security/2022/08/29/1	mailing-list
	http://www.openwall.com/lists/oss-security/2022/08/29/2	mailing-list
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list
	https://security.gentoo.org/glsa/202208-39	vendor-advisory
	http://seclists.org/fulldisclosure/2022/Aug/16	mailing-list
	http://www.openwall.com/lists/oss-security/2022/0…	mailing-list
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2022/09/13/1	mailing-list
	http://seclists.org/fulldisclosure/2022/Oct/49	mailing-list

Impacted products

Vendor

Product

Version

Apple

Safari

Affected: unspecified , < 15.6 (custom)

	Apple	iOS and iPadOS	Affected: unspecified , < 15.6 (custom)
	Apple	macOS	Affected: unspecified , < 12.5 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:54:03.184Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213414"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213412"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213413"
          },
          {
            "name": "[oss-security] 20220825 WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/25/5"
          },
          {
            "name": "[oss-security] 20220826 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/26/2"
          },
          {
            "name": "FEDORA-2022-eada5f24a0",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7SETAAXEPGNBMYKTUDFEZHS5LGSQ64QL/"
          },
          {
            "name": "DSA-5220",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5220"
          },
          {
            "name": "DSA-5219",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5219"
          },
          {
            "name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/29/1"
          },
          {
            "name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/29/2"
          },
          {
            "name": "[debian-lts-announce] 20220830 [SECURITY] [DLA 3087-1] webkit2gtk security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00019.html"
          },
          {
            "name": "GLSA-202208-39",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-39"
          },
          {
            "name": "20220831 APPLE-SA-2022-08-31-1 iOS 12.5.6",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Aug/16"
          },
          {
            "name": "[oss-security] 20220902 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/09/02/10"
          },
          {
            "name": "FEDORA-2022-ddfeee50c9",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKJGV2EXVMYQW3OAJNI4WUTKKVMD2YYK/"
          },
          {
            "name": "[oss-security] 20220913 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/09/13/1"
          },
          {
            "name": "20221030 APPLE-SA-2022-10-27-13 watchOS 9",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Oct/49"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-32893",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T16:26:40.933813Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-08-18",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-32893"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:36.579Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-32893"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-08-18T00:00:00+00:00",
            "value": "CVE-2022-32893 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Safari",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "15.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "iOS and iPadOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "15.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "macOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "12.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-30T00:00:00.000Z",
        "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "shortName": "apple"
      },
      "references": [
        {
          "url": "https://support.apple.com/en-us/HT213414"
        },
        {
          "url": "https://support.apple.com/en-us/HT213412"
        },
        {
          "url": "https://support.apple.com/en-us/HT213413"
        },
        {
          "name": "[oss-security] 20220825 WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/25/5"
        },
        {
          "name": "[oss-security] 20220826 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/26/2"
        },
        {
          "name": "FEDORA-2022-eada5f24a0",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7SETAAXEPGNBMYKTUDFEZHS5LGSQ64QL/"
        },
        {
          "name": "DSA-5220",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5220"
        },
        {
          "name": "DSA-5219",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5219"
        },
        {
          "name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/29/1"
        },
        {
          "name": "[oss-security] 20220829 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/29/2"
        },
        {
          "name": "[debian-lts-announce] 20220830 [SECURITY] [DLA 3087-1] webkit2gtk security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00019.html"
        },
        {
          "name": "GLSA-202208-39",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202208-39"
        },
        {
          "name": "20220831 APPLE-SA-2022-08-31-1 iOS 12.5.6",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Aug/16"
        },
        {
          "name": "[oss-security] 20220902 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/09/02/10"
        },
        {
          "name": "FEDORA-2022-ddfeee50c9",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKJGV2EXVMYQW3OAJNI4WUTKKVMD2YYK/"
        },
        {
          "name": "[oss-security] 20220913 Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/09/13/1"
        },
        {
          "name": "20221030 APPLE-SA-2022-10-27-13 watchOS 9",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Oct/49"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
    "assignerShortName": "apple",
    "cveId": "CVE-2022-32893",
    "datePublished": "2022-08-24T00:00:00.000Z",
    "dateReserved": "2022-06-09T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:36.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted