CVE-2024-23282

Published Jun 10, 2024

Last updated 7 months ago

CVSS medium 5.5

Apple

iPadOS

iOS

macOS

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-23282 is a vulnerability in Apple's macOS, iOS, and iPadOS that involves improper authorization within the Email Handler component. A maliciously crafted email could potentially initiate FaceTime calls without the user's explicit authorization. The vulnerability stems from the product not performing or incorrectly performing an authorization check when an actor attempts to access a resource or perform an action. Apple addressed this issue with improved checks in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8.

Description: The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user authorization.
Source: product-security@apple.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.5
Impact score: 3.6
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: NVD-CWE-noinfo
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-552

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 12

CVE-2024-23282 : A maliciously crafted email may be able to initiate FaceTime calls without user authorization I submitted a complete PoC for this vulnerability to Apple, but they awarded me a reward of $5,000. I requested a re-evaluation, but Apple declined.😢 https://t.co/2v
@minacris_
4303 Impressions
4 Retweets
33 Likes
7 Bookmarks
4 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "732206AE-D798-41FB-8D91-F796820F912D",
            "versionEndExcluding": "16.7.8"
          },
          {
            "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0C520138-1984-4369-8615-09FF57F0BB70",
            "versionEndExcluding": "17.5",
            "versionStartIncluding": "17.0"
          },
          {
            "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0EDF6AF0-A238-47E5-9A9D-F6FDB832DD8C",
            "versionEndExcluding": "16.7.8"
          },
          {
            "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEC0ACF3-F486-4536-8415-A176C68CE183",
            "versionEndExcluding": "17.5",
            "versionStartIncluding": "17.0"
          },
          {
            "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6AB18623-7D06-4946-99FC-808A4A913ED9",
            "versionEndExcluding": "14.5",
            "versionStartIncluding": "14.0"
          },
          {
            "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CC4B1E01-BE73-48F8-9BD5-32F7C57EB45A",
            "versionEndExcluding": "10.5"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.