Privilege escalation in Apple iTunes for Windows



Published: 2023-05-23 | Updated: 2023-11-06
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2023-32353
CVE-2023-32351
CVE-2023-32430
CWE-ID CWE-264
CWE-426
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		iTunes
Client/Desktop applications / Multimedia software

Vendor Apple Inc.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU76451

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32353

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a logic error. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

iTunes: 12.0 - 12.12.8.2

External links

http://support.apple.com/en-us/HT213763


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU76452

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32351

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a logic error. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

iTunes: 12.0 - 12.12.8.2

External links

http://support.apple.com/en-us/HT213763


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Untrusted search path

EUVDB-ID: #VU82750

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32430

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path in WebKit. A local application can execute arbitrary code on the system with escalated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

iTunes: 1.0 - 12.12.8.2

External links

http://support.apple.com/en-us/HT213763


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###