CVE-2021-30823 - OpenCVE

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.0.1, iOS 14.8 and iPadOS 14.8, tvOS 15, Safari 15, watchOS 8. An attacker in a privileged network position may be able to bypass HSTS.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Iphone Os Watchos Tvos Ipados Safari Macos

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:watchos::::::::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/12/20/6	Mailing List Third Party Advisory
https://support.apple.com/en-us/HT212807	Vendor Advisory
https://support.apple.com/en-us/HT212815	Vendor Advisory
https://support.apple.com/en-us/HT212816	Vendor Advisory
https://support.apple.com/en-us/HT212819	Vendor Advisory
https://support.apple.com/en-us/HT212869	Vendor Advisory
https://support.apple.com/kb/HT212953	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apple

Published: 2021-10-28T18:17:07

Updated: 2021-12-20T15:06:45

Reserved: 2021-04-13T00:00:00

Link: CVE-2021-30823

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-28T19:15:09.090

Modified: 2023-01-09T16:41:59.350

Link: CVE-2021-30823

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "iOS and iPadOS", "vendor": "Apple", "versions": [{"lessThan": "14.8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "tvOS", "vendor": "Apple", "versions": [{"lessThan": "15", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Safari", "vendor": "Apple", "versions": [{"lessThan": "15", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "watchOS", "vendor": "Apple", "versions": [{"lessThan": "8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "macOS", "vendor": "Apple", "versions": [{"lessThan": "12.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.0.1, iOS 14.8 and iPadOS 14.8, tvOS 15, Safari 15, watchOS 8. An attacker in a privileged network position may be able to bypass HSTS."}], "problemTypes": [{"descriptions": [{"description": "An attacker in a privileged network position may be able to bypass HSTS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-20T15:06:45", "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.apple.com/en-us/HT212807"}, {"tags": ["x_refsource_MISC"], "url": "https://support.apple.com/en-us/HT212819"}, {"tags": ["x_refsource_MISC"], "url": "https://support.apple.com/en-us/HT212815"}, {"tags": ["x_refsource_MISC"], "url": "https://support.apple.com/en-us/HT212816"}, {"tags": ["x_refsource_MISC"], "url": "https://support.apple.com/en-us/HT212869"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT212953"}, {"name": "[oss-security] 20211220 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/12/20/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "product-security@apple.com", "ID": "CVE-2021-30823", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "iOS and iPadOS", "version": {"version_data": [{"version_affected": "<", "version_value": "14.8"}]}}, {"product_name": "tvOS", "version": {"version_data": [{"version_affected": "<", "version_value": "15"}]}}, {"product_name": "Safari", "version": {"version_data": [{"version_affected": "<", "version_value": "15"}]}}, {"product_name": "watchOS", "version": {"version_data": [{"version_affected": "<", "version_value": "8"}]}}, {"product_name": "macOS", "version": {"version_data": [{"version_affected": "<", "version_value": "12.0"}]}}]}, "vendor_name": "Apple"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.0.1, iOS 14.8 and iPadOS 14.8, tvOS 15, Safari 15, watchOS 8. An attacker in a privileged network position may be able to bypass HSTS."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "An attacker in a privileged network position may be able to bypass HSTS"}]}]}, "references": {"reference_data": [{"name": "https://support.apple.com/en-us/HT212807", "refsource": "MISC", "url": "https://support.apple.com/en-us/HT212807"}, {"name": "https://support.apple.com/en-us/HT212819", "refsource": "MISC", "url": "https://support.apple.com/en-us/HT212819"}, {"name": "https://support.apple.com/en-us/HT212815", "refsource": "MISC", "url": "https://support.apple.com/en-us/HT212815"}, {"name": "https://support.apple.com/en-us/HT212816", "refsource": "MISC", "url": "https://support.apple.com/en-us/HT212816"}, {"name": "https://support.apple.com/en-us/HT212869", "refsource": "MISC", "url": "https://support.apple.com/en-us/HT212869"}, {"name": "https://support.apple.com/kb/HT212953", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT212953"}, {"name": "[oss-security] 20211220 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/20/6"}]}}}}, "cveMetadata": {"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "assignerShortName": "apple", "cveId": "CVE-2021-30823", "datePublished": "2021-10-28T18:17:07", "dateReserved": "2021-04-13T00:00:00", "dateUpdated": "2021-12-20T15:06:45", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "matchCriteriaId": "83B0206D-A14B-4BD7-809F-812E7EFE0C1C", "versionEndExcluding": "15.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCD67B72-0B1D-46A8-A149-8149ED749FEC", "versionEndExcluding": "14.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "56F86481-D995-43D7-982F-5DC6E4682A65", "versionEndExcluding": "14.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "579B2A0D-A84F-45C2-B545-35ECEA3297DA", "versionEndExcluding": "12.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "matchCriteriaId": "B32A978E-673C-421D-93A1-CA84D90B67E4", "versionEndExcluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "matchCriteriaId": "5364285F-B3F2-465B-B738-2FC1C8913A44", "versionEndExcluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.0.1, iOS 14.8 and iPadOS 14.8, tvOS 15, Safari 15, watchOS 8. An attacker in a privileged network position may be able to bypass HSTS."}, {"lang": "es", "value": "Se abord\u00f3 un problema de l\u00f3gica con restricciones mejoradas. Este problema se corrigi\u00f3 en macOS Monterey versi\u00f3n 12.0.1, iOS versi\u00f3n 14.8 y iPadOS versi\u00f3n 14.8, tvOS versi\u00f3n 15, Safari versi\u00f3n 15, watchOS versi\u00f3n 8. Un atacante en una posici\u00f3n de red privilegiada puede ser capaz de omitir HSTS"}], "id": "CVE-2021-30823", "lastModified": "2023-01-09T16:41:59.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-28T19:15:09.090", "references": [{"source": "product-security@apple.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/20/6"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212807"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212815"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212816"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212819"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212869"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/kb/HT212953"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}