CVE-2023-41993 - OpenCVE

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Iphone Os Ipados Macos
Netapp	Oncommand Insight Cloud Insights Acquisition Unit Oncommand Workflow Automation Cloud Insights Storage Workload Security Agent
Oracle	Graalvm Jdk Jre
Fedoraproject	Fedora
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:37:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*
	cpe:2.3:o:fedoraproject:fedora:39:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.13::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.3.9::::enterprise:::
	cpe:2.3:a:oracle:jdk:1.8.0:update401::::::
	cpe:2.3:a:oracle:jre:1.8.0:update401::::::

Configuration 5 [-]

OR	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*

References

Link	Resource
https://security.gentoo.org/glsa/202401-33	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240426-0004/	Third Party Advisory
https://support.apple.com/en-us/HT213940	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apple

Published: 2023-09-21T18:23:52.197Z

Updated: 2024-06-25T18:59:55.871Z

Reserved: 2023-09-06T17:40:06.142Z

Link: CVE-2023-41993

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-21T19:15:11.660

Modified: 2024-05-23T17:51:57.663

Link: CVE-2023-41993

JSON object: View

Redhat Information

No data.

CWE

CWE-754

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41993", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2023-09-06T17:40:06.142Z", "datePublished": "2023-09-21T18:23:52.197Z", "dateUpdated": "2024-06-25T18:59:55.871Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7."}]}], "affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"version": "unspecified", "status": "affected", "lessThan": "14", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7."}], "references": [{"url": "https://support.apple.com/en-us/HT213940"}, {"url": "https://security.gentoo.org/glsa/202401-33"}, {"url": "https://security.netapp.com/advisory/ntap-20240426-0004/"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2024-01-23T00:25:39.867Z"}}, "adp": [{"affected": [{"vendor": "apple", "product": "iphone_os", "cpes": ["cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "17.0.1", "versionType": "custom"}]}, {"vendor": "apple", "product": "ipad_os", "cpes": ["cpe:2.3:o:apple:ipad_os:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "17.0.1", "versionType": "custom"}]}, {"vendor": "apple", "product": "macos", "cpes": ["cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "14.0", "versionType": "custom"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "37", "status": "affected"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "38", "status": "affected"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "39", "status": "affected"}]}, {"vendor": "debian", "product": "debian_linux", "cpes": ["cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "11.0", "status": "affected"}, {"version": "12.0", "status": "affected"}]}, {"vendor": "oracle", "product": "graalvm", "cpes": ["cpe:2.3:a:oracle:graalvm:21.3.9:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "20.3.13", "status": "affected"}]}, {"vendor": "oracle", "product": "graalvm", "cpes": ["cpe:2.3:a:oracle:graalvm:21.3.9:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "21.3.9", "status": "affected"}]}, {"vendor": "oracle", "product": "jdk", "cpes": ["cpe:2.3:a:oracle:jdk:1.8.0:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.8.0", "status": "affected"}]}, {"vendor": "oracle", "product": "jre", "cpes": ["cpe:2.3:a:oracle:jre:1.8.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.8.0", "status": "affected"}]}, {"vendor": "netapp", "product": "cloud_insights_acquisition_unit", "cpes": ["cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}, {"vendor": "netapp", "product": "cloud_insights_storage_workload_security_agent", "cpes": ["cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}, {"vendor": "netapp", "product": "oncommand_insight", "cpes": ["cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}, {"vendor": "netapp", "product": "oncommand_workflow_automation", "cpes": ["cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-01-11T02:17:52.028515Z", "id": "CVE-2023-41993", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-09-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-41993"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T18:59:55.871Z"}}]}}

{"cisaActionDue": "2023-10-16", "cisaExploitAdd": "2023-09-25", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Apple Multiple Products WebKit Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FE34465-0131-48BD-9BB6-47F83243BAE3", "versionEndExcluding": "17.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB5FD4B4-540C-4068-90D2-BEC12CDF54D9", "versionEndExcluding": "17.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A5DD3D5-FB4F-4313-B873-DCED87FC4605", "versionEndExcluding": "14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:20.3.13:*:*:*:enterprise:*:*:*", "matchCriteriaId": "00EDC8FF-13F2-4218-9EF4-B509364AE7B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.3.9:*:*:*:enterprise:*:*:*", "matchCriteriaId": "938A32D1-FBAB-42AE-87A7-AB19402B561A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jdk:1.8.0:update401:*:*:*:*:*:*", "matchCriteriaId": "B9155227-6787-4FAA-BB2C-C99D77DD2111", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.8.0:update401:*:*:*:*:*:*", "matchCriteriaId": "FD4CDABD-BC1E-4A23-8022-D7A0E615C9F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*", "matchCriteriaId": "CCAA4004-9319-478C-9D55-0E8307F872F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B199052-5732-4726-B06B-A12C70DFB891", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7."}, {"lang": "es", "value": "El problema se solucion\u00f3 con controles mejorados. Este problema se solucion\u00f3 en Safari 17, iOS 16.7 y iPadOS 16.7, macOS Sonoma 14. El procesamiento de contenido web puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Apple tiene conocimiento de un informe que indica que este problema puede haber sido explotado activamente en versiones de iOS anteriores a iOS 16.7."}], "id": "CVE-2023-41993", "lastModified": "2024-05-23T17:51:57.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-21T19:15:11.660", "references": [{"source": "product-security@apple.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202401-33"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240426-0004/"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/HT213940"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "nvd@nist.gov", "type": "Primary"}]}