Multiple vulnerabilities in Shortcuts for Apple iOS



Published: 2019-02-08
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-7289
CVE-2019-7290
CWE-ID CWE-22
CWE-264
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Shortcuts for iOS
Client/Desktop applications / Software for system administration

Vendor Apple Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU17438

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7289

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in Shortcuts during improper handling of directory paths. A local attacker can conduct directory traversal attack and view sensitive user information.

Mitigation

Update to version 2.1.3.

Vulnerable software versions

Shortcuts for iOS: 2.1.2

External links

http://support.apple.com/en-us/HT209522


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU17439

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7290

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper sandboxed process in Shortcuts. A local attacker can circumvent sandbox restrictions.

Mitigation

Update to version 2.1.3.

Vulnerable software versions

Shortcuts for iOS: 2.1.2

External links

http://support.apple.com/en-us/HT209522


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###