| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-4256 |
125 |
|
|
2019-01-11 |
2019-01-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. |
|
2 |
CVE-2018-4255 |
125 |
|
|
2019-01-11 |
2019-01-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. |
|
3 |
CVE-2018-4252 |
200 |
|
Bypass +Info |
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and obtain private notification content via Siri. |
|
4 |
CVE-2018-4244 |
200 |
|
+Info |
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri Contacts" component. It allows physically proximate attackers to discover private contact information via Siri. |
|
5 |
CVE-2018-4239 |
200 |
|
Bypass +Info |
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Magnifier" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and see the most recent Magnifier image. |
|
6 |
CVE-2018-4238 |
284 |
|
Bypass |
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and enable Siri. |
|
7 |
CVE-2018-4235 |
74 |
|
|
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Messages" component. It allows local users to perform impersonation attacks via an unspecified injection. |
|
8 |
CVE-2018-4226 |
200 |
|
Bypass +Info |
2018-06-08 |
2018-07-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of sensitive user information. |
|
9 |
CVE-2018-4225 |
20 |
|
Bypass |
2018-06-08 |
2018-07-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on Keychain state modifications. |
|
10 |
CVE-2018-4224 |
200 |
|
Bypass +Info |
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of a persistent device identifier. |
|
11 |
CVE-2018-4223 |
200 |
|
Bypass +Info |
2018-06-08 |
2018-07-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of a persistent account identifier. |
|
12 |
CVE-2018-4172 |
254 |
|
Bypass |
2018-04-03 |
2018-05-04 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Find My iPhone" component. It allows physically proximate attackers to bypass the iCloud password requirement for disabling the "Find My iPhone" feature via vectors involving a backup restore. |
|
13 |
CVE-2018-4170 |
255 |
|
|
2018-04-03 |
2018-05-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Admin Framework" component. It allows local users to discover a password by listing a process and its arguments during sysadminctl execution. |
|
14 |
CVE-2018-4168 |
200 |
|
+Info |
2018-04-03 |
2018-05-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Files Widget" component. It allows physically proximate attackers to obtain sensitive information by leveraging the display of cached data on a locked device. |
|
15 |
CVE-2018-4123 |
200 |
|
+Info |
2018-04-03 |
2018-05-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves alarm and timer handling in the "Clock" component. It allows physically proximate attackers to discover the iTunes e-mail address. |
|
16 |
CVE-2018-4092 |
362 |
|
Bypass |
2018-04-03 |
2018-05-04 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Kernel" component. A race condition allows attackers to bypass intended memory-read restrictions via a crafted app. |
|
17 |
CVE-2017-13851 |
284 |
|
Bypass |
2018-04-03 |
2018-05-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "DesktopServices" component. It allows local users to bypass intended access restrictions on home folder files. |
|
18 |
CVE-2017-13844 |
200 |
|
+Info |
2017-11-12 |
2017-12-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.1 is affected. The issue involves the "Messages" component. It allows physically proximate attackers to view arbitrary photos via a Reply With Message action in the lock-screen state. |
|
19 |
CVE-2017-13839 |
200 |
|
+Info |
2018-04-03 |
2018-05-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Spotlight" component. It allows local users to see results for other users' files. |
|
20 |
CVE-2017-13817 |
125 |
|
Bypass |
2017-11-12 |
2017-11-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An out-of-bounds read issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "Kernel" component. It allows local users to bypass intended memory-read restrictions. |
|
21 |
CVE-2017-13810 |
200 |
|
+Info |
2017-11-12 |
2017-11-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "Kernel" component. It allows local users to obtain sensitive information by leveraging an error in packet counters. |
|
22 |
CVE-2017-13805 |
200 |
|
+Info |
2017-11-12 |
2017-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.1 is affected. The issue involves the "Siri" component. It allows physically proximate attackers to obtain sensitive information via a Siri request for private-content notifications that should not have been available in the lock-screen state. |
|
23 |
CVE-2017-13801 |
200 |
|
+Info |
2017-11-12 |
2017-11-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "Dictionary Widget" component. It allows attackers to read local files if pasted text is used in a search. |
|
24 |
CVE-2017-13786 |
200 |
|
+Info |
2017-11-12 |
2017-11-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "APFS" component. It does not properly restrict the DMA mapping time of FileVault decryption buffers, which allows attackers to read cleartext APFS data via a crafted Thunderbolt adapter. |
|
25 |
CVE-2017-7150 |
284 |
|
Bypass |
2017-10-22 |
2017-10-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 Supplemental Update is affected. The issue involves the "Security" component. It allows attackers to bypass the keychain access prompt, and consequently extract passwords, via a synthetic click. |
|
26 |
CVE-2017-7149 |
200 |
|
+Info |
2017-10-22 |
2017-10-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 Supplemental Update is affected. The issue involves the "StorageKit" component. It allows attackers to discover passwords for APFS encrypted volumes by reading Disk Utility hints, because the stored hint value was accidentally set to the password itself, not the entered hint value. |
|
27 |
CVE-2017-7143 |
200 |
|
+Info |
2017-10-22 |
2017-10-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Captive Network Assistant" component. It allows remote attackers to discover cleartext passwords in opportunistic circumstances by sniffing the network during use of the captive portal browser, which has a UI error that can lead to cleartext transmission without the user's awareness. |
|
28 |
CVE-2017-7139 |
200 |
|
+Info |
2017-10-22 |
2017-10-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Phone" component. It allows attackers to obtain sensitive information by leveraging a timing bug to read a secure-content screenshot that occurred during a locking action. |
|
29 |
CVE-2017-7138 |
200 |
|
+Info |
2017-10-22 |
2017-10-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Directory Utility" component. It allows local users to discover the Apple ID of the computer's owner. |
|
30 |
CVE-2017-7113 |
200 |
|
Bypass +Info |
2017-11-12 |
2017-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11.1 is affected. The issue involves the "UIKit" component. It allows attackers to bypass intended read restrictions for secure text fields via vectors involving a focus-change event. |
|
31 |
CVE-2017-7082 |
200 |
|
+Info |
2017-10-22 |
2017-10-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Screen Lock" component. It allows physically proximate attackers to read Application Firewall prompts. |
|
32 |
CVE-2017-7075 |
200 |
|
+Info |
2018-04-03 |
2018-05-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Notes" component. It allows local users to obtain sensitive information by reading search results that contain locked-note content. |
|
33 |
CVE-2017-7058 |
200 |
|
+Info |
2017-07-20 |
2017-07-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. The issue involves the "Notifications" component. It allows physically proximate attackers to read unintended notifications on the lock screen. |
|
34 |
CVE-2017-7006 |
361 |
|
Bypass +Info |
2017-07-20 |
2017-10-15 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct a timing side-channel attack to bypass the Same Origin Policy and obtain sensitive information via a crafted web site that uses SVG filters. |
|
35 |
CVE-2017-2452 |
200 |
|
+Info |
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Siri" component. It allows physically proximate attackers to read text messages on the lock screen via unspecified vectors. |
|
36 |
CVE-2017-2418 |
200 |
|
+Info |
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Hypervisor" component. It allows guest OS users to obtain sensitive information from the CR8 control register via unspecified vectors. |
|
37 |
CVE-2017-2399 |
320 |
|
|
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Pasteboard" component. It allows physically proximate attackers to read the pasteboard by leveraging the use of an encryption key derived only from the hardware UID (rather than that UID in addition to the user passcode). |
|
38 |
CVE-2017-2397 |
200 |
|
+Info |
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Accounts" component. It allows physically proximate attackers to discover an Apple ID by reading an iCloud authentication prompt on the lock screen. |
|
39 |
CVE-2017-2390 |
264 |
|
|
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in the "libarchive" component. It allows local users to change arbitrary directory permissions via unspecified vectors. |
|
40 |
CVE-2017-2387 |
310 |
|
+Info |
2017-04-07 |
2017-04-13 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
41 |
CVE-2017-2385 |
200 |
|
+Info |
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. Safari before 10.1 is affected. The issue involves the "Safari Login AutoFill" component. It allows local users to obtain access to locked keychain items via unspecified vectors. |
|
42 |
CVE-2017-2384 |
200 |
|
+Info |
2017-04-01 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves mishandling of deletion within the SQLite subsystem of the "Safari" component. It allows local users to identify the web-site visits that occurred in Private Browsing mode. |
|
43 |
CVE-2017-2352 |
254 |
|
Bypass |
2017-02-20 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Unlock with iPhone" component, which allows attackers to bypass the wrist-presence protection mechanism and unlock a Watch device via unspecified vectors. |
|
44 |
CVE-2017-2351 |
254 |
|
Bypass |
2017-02-20 |
2017-07-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "WiFi" component, which allows physically proximate attackers to bypass the activation-lock protection mechanism and view the home screen via unspecified vectors. |
|
45 |
CVE-2016-7765 |
200 |
|
+Info |
2017-02-20 |
2017-02-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Clipboard" component, which allows physically proximate attackers to obtain sensitive information in the lockscreen state by viewing clipboard contents. |
|
46 |
CVE-2016-7761 |
200 |
|
+Info |
2017-02-20 |
2017-02-22 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "WiFi" component, which allows local users to obtain sensitive network-configuration information by leveraging global storage. |
|
47 |
CVE-2016-7759 |
200 |
|
+Info |
2017-02-20 |
2017-02-22 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10 is affected. The issue involves the "Springboard" component, which allows physically proximate attackers to obtain sensitive information by viewing application snapshots in the Task Switcher. |
|
48 |
CVE-2016-7714 |
200 |
|
+Info |
2017-02-20 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOKit" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. |
|
49 |
CVE-2016-7664 |
200 |
|
+Info |
2017-02-20 |
2017-07-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Accessibility" component. which allows physically proximate attackers to obtain sensitive photo and contact information by leveraging the availability of excessive options during lockscreen access. |
|
50 |
CVE-2016-7653 |
200 |
|
+Info |
2017-02-20 |
2017-07-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Media Player" component, which allows physically proximate attackers to obtain sensitive photo and contact information by leveraging lockscreen access. |
