ID

VAR-202109-1390


CVE

CVE-2021-30690


TITLE

Apple Mac OS X  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013542

DESCRIPTION

Multiple issues in apache were addressed by updating apache to version 2.4.46. This issue is fixed in Security Update 2021-004 Mojave. Multiple issues in apache. Apple Mac OS X Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Apple macOS is a set of dedicated operating systems developed by Apple Corporation for Mac computers. A security signature issue exists in Apple macOS that could allow a remote attacker to bypass implemented security restrictions. The following products and versions are affected: Apple macOS: 10.14 18A391, 10.14.1 18B75, 10.14.1 18B2107, 10.14.1 18B3094, 10.14.2 18C54, 10.14.3 18D42, 10.14.3 18D43, 10.14.3 18D43, 10.10.10.14 4 18E226, 10.14.14 18E227, 10.14.5 18F132, 10.14.6 18G84, 10.14.6 18G87, 10.14.6 18G95, 10.14.6 18G103, 10.14.6 18G1012, 10.14.6 18G2022, 10.14.6 18G3020, 10.14. 6 18G4032, 10.14.6 18G5033, 10.14.6 18G6020, 10.14.6 18G6032, 10.14.6 18G6042, 10.14.6 18G7016, 10.14.6 18G8012, 10.14.12 2, 6 18001. Information about the security content is also available at https://support.apple.com/HT212531. AMD Available for: macOS Mojave Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A logic issue was addressed with improved state management. CVE-2021-30676: shrek_wzw AMD Available for: macOS Mojave Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2021-30690: an anonymous researcher AppleScript Available for: macOS Mojave Impact: A malicious application may bypass Gatekeeper checks Description: A logic issue was addressed with improved state management. CVE-2021-30669: Yair Hoffmann Core Services Available for: macOS Mojave Impact: A malicious application may be able to gain root privileges Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2021-30681: Zhongcheng Li (CK01) CVMS Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: This issue was addressed with improved checks. CVE-2021-30724: Mickey Jin (@patch1t) of Trend Micro Heimdal Available for: macOS Mojave Impact: A malicious application may cause a denial of service or potentially disclose memory contents Description: A memory corruption issue was addressed with improved state management. CVE-2021-30710: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: macOS Mojave Impact: A remote attacker may be able to cause a denial of service Description: A race condition was addressed with improved locking. CVE-2021-1884: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: macOS Mojave Impact: Processing maliciously crafted server messages may lead to heap corruption Description: This issue was addressed with improved checks. CVE-2021-1883: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: macOS Mojave Impact: A local user may be able to leak sensitive user information Description: A logic issue was addressed with improved state management. CVE-2021-30697: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: macOS Mojave Impact: A malicious application could execute arbitrary code leading to compromise of user information Description: A use after free issue was addressed with improved memory management. CVE-2021-30683: Gabe Kirkpatrick (@gabe_k) ImageIO Available for: macOS Mojave Impact: Processing a maliciously crafted image may lead to disclosure of user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30687: Hou JingYi (@hjy79425575) of Qihoo 360 ImageIO Available for: macOS Mojave Impact: Processing a maliciously crafted ASTC file may disclose memory contents Description: This issue was addressed with improved checks. CVE-2021-30705: Ye Zhang of Baidu Security Intel Graphics Driver Available for: macOS Mojave Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2021-30728: Liu Long of Ant Security Light-Year Lab Kernel Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved state management. CVE-2021-30704: an anonymous researcher Login Window Available for: macOS Mojave Impact: A person with physical access to a Mac may be able to bypass Login Window Description: A logic issue was addressed with improved state management. CVE-2021-30702: Jewel Lambert of Original Spin, LLC. Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted USD file may disclose memory contents Description: An information disclosure issue was addressed with improved state management. CVE-2021-30723: Mickey Jin (@patch1t) of Trend Micro CVE-2021-30691: Mickey Jin (@patch1t) of Trend Micro CVE-2021-30694: Mickey Jin (@patch1t) of Trend Micro CVE-2021-30692: Mickey Jin (@patch1t) of Trend Micro Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted USD file may disclose memory contents Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30746: Mickey Jin (@patch1t) of Trend Micro Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A validation issue was addressed with improved logic. CVE-2021-30693: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend Micro Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted USD file may disclose memory contents Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30695: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend Micro Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30708: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend Micro Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted USD file may disclose memory contents Description: This issue was addressed with improved checks. CVE-2021-30709: Mickey Jin (@patch1t) of Trend Micro Model I/O Available for: macOS Mojave Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2021-30725: Mickey Jin (@patch1t) of Trend Micro NSOpenPanel Available for: macOS Mojave Impact: An application may be able to gain elevated privileges Description: This issue was addressed by removing the vulnerable code. CVE-2021-30679: Gabe Kirkpatrick (@gabe_k) OpenLDAP Available for: macOS Mojave Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-36226 CVE-2020-36229 CVE-2020-36225 CVE-2020-36224 CVE-2020-36223 CVE-2020-36227 CVE-2020-36228 CVE-2020-36221 CVE-2020-36222 CVE-2020-36230 smbx Available for: macOS Mojave Impact: An attacker in a privileged network position may be able to perform denial of service Description: A logic issue was addressed with improved state management. CVE-2021-30716: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Mojave Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: A memory corruption issue was addressed with improved state management. CVE-2021-30717: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Mojave Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2021-30712: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Mojave Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: A path handling issue was addressed with improved validation. CVE-2021-30721: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Mojave Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An information disclosure issue was addressed with improved state management. CVE-2021-30722: Aleksandar Nikolic of Cisco Talos Additional recognition CFString We would like to acknowledge an anonymous researcher for their assistance. CoreCapture We would like to acknowledge Zuozhi Fan (@pattern_F_) of Ant- financial TianQiong Security Lab for their assistance. Installation note: This update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCtU9EACgkQZcsbuWJ6 jjCFWg//YnTAv0f31A5ILv6tAFsMOLCqe5qfpGEqQDktx5kNmnZVQxck0yAEPVH4 SghKtTTE0t6KXne94QcnEntdgoMG+EgsvBqBzCxpJtjxArwxQHqL/slnfIKKTSg7 8+PIQALwJDOLrtxzf6X0VY0fT3tElYcq8qrrYrqQgXCn8C3bKvO/42wwdVCDOTmD kft0PhZkHa1GyJ+RuPAv+Y9KVrTy2dYX6hGMbiFpJ2il0My+CgdvJc4QO4P7kObk nProKc8zdsNAXTMHX1s0tfR8MFwnNquJT6/KV/FHeby1rbT3CK4zd6x64dIq4KVi j4Spubs5/TT4ji926R3xm5W3MkOegJiB9S2Rjy5LU/JMyV+BM9VBEZ6upK0y4+l6 tHCdhf90Kwt82zQYBE1o3nCBAPhWz9rk91kuPl1YstvLzBrdujmXRtLgcQVW2F+e NLCtyx1/WUUi2WR5VWiz9AMBl8QjBWXuGvmR+ToBK/m6T8km4lp6V74mbCj1OyKg 0wHf0oh0KNZRCrtR2PoIvBZnC+KxcdH4QVqKPePYzr+CYnWnA6TDV5yXWITVYLQA x74LPPpDML/yc9TLgWxNTTMuEflG+riGTO3Oet3iB1SFsobbAqWlfZqIklBHgyQe f62TlXzjqJWuFBzlhQ0weK8EbgDQWoRiJM3xnpO2HnM2nRQvWfs=t1cR -----END PGP SIGNATURE-----

Trust: 2.43

sources: NVD: CVE-2021-30690 // JVNDB: JVNDB-2021-013542 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-390423 // VULMON: CVE-2021-30690 // PACKETSTORM: 162821

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:gteversion:10.14

Trust: 1.0

vendor:applemodel:mac os xscope:lteversion:10.14.5

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.14.6

Trust: 1.0

vendor:アップルmodel:apple mac os xscope: - version: -

Trust: 0.8

vendor:アップルmodel:apple mac os xscope:eqversion:10.14 to 10.14.5

Trust: 0.8

vendor:アップルmodel:apple mac os xscope:eqversion: -

Trust: 0.8

vendor:アップルmodel:apple mac os xscope:eqversion:10.14.6

Trust: 0.8

sources: JVNDB: JVNDB-2021-013542 // NVD: CVE-2021-30690

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-30690
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-30690
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202105-1520
value: CRITICAL

Trust: 0.6

VULHUB: VHN-390423
value: HIGH

Trust: 0.1

VULMON: CVE-2021-30690
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-30690
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-390423
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-30690
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-30690
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-390423 // VULMON: CVE-2021-30690 // JVNDB: JVNDB-2021-013542 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1520 // NVD: CVE-2021-30690

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-013542 // NVD: CVE-2021-30690

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-1520

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:HT212531 Apple  Security updateurl:https://support.apple.com/en-us/HT212531

Trust: 0.8

title:Apple macOS Fixing measures for security feature vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151705

Trust: 0.6

sources: JVNDB: JVNDB-2021-013542 // CNNVD: CNNVD-202105-1520

EXTERNAL IDS

db:NVDid:CVE-2021-30690

Trust: 3.5

db:PACKETSTORMid:162821

Trust: 0.8

db:JVNDBid:JVNDB-2021-013542

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.1794

Trust: 0.6

db:CS-HELPid:SB2021052501

Trust: 0.6

db:CNNVDid:CNNVD-202105-1520

Trust: 0.6

db:VULHUBid:VHN-390423

Trust: 0.1

db:VULMONid:CVE-2021-30690

Trust: 0.1

sources: VULHUB: VHN-390423 // VULMON: CVE-2021-30690 // JVNDB: JVNDB-2021-013542 // PACKETSTORM: 162821 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1520 // NVD: CVE-2021-30690

REFERENCES

url:https://support.apple.com/en-us/ht212531

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-30690

Trust: 1.5

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021052501

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1794

Trust: 0.6

url:https://packetstormsecurity.com/files/162821/apple-security-advisory-2021-05-25-3.html

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://seclists.org/fulldisclosure/2021/may/65

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36228

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1884

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30695

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36222

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30697

Trust: 0.1

url:https://support.apple.com/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30669

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36221

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36225

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30676

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36226

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36224

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30694

Trust: 0.1

url:https://support.apple.com/ht212531.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36229

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36223

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30679

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30693

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30678

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30687

Trust: 0.1

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36230

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30681

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36227

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30683

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30691

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30692

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1883

Trust: 0.1

sources: VULHUB: VHN-390423 // VULMON: CVE-2021-30690 // JVNDB: JVNDB-2021-013542 // PACKETSTORM: 162821 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1520 // NVD: CVE-2021-30690

CREDITS

Apple

Trust: 0.1

sources: PACKETSTORM: 162821

SOURCES

db:VULHUBid:VHN-390423
db:VULMONid:CVE-2021-30690
db:JVNDBid:JVNDB-2021-013542
db:PACKETSTORMid:162821
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202105-1520
db:NVDid:CVE-2021-30690

LAST UPDATE DATE

2024-08-14T12:11:19.949000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-390423date:2021-09-17T00:00:00
db:VULMONid:CVE-2021-30690date:2021-09-17T00:00:00
db:JVNDBid:JVNDB-2021-013542date:2022-09-15T06:15:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202105-1520date:2021-09-18T00:00:00
db:NVDid:CVE-2021-30690date:2021-09-17T17:53:35.563

SOURCES RELEASE DATE

db:VULHUBid:VHN-390423date:2021-09-08T00:00:00
db:VULMONid:CVE-2021-30690date:2021-09-08T00:00:00
db:JVNDBid:JVNDB-2021-013542date:2022-09-15T00:00:00
db:PACKETSTORMid:162821date:2021-05-26T17:46:16
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202105-1520date:2021-05-25T00:00:00
db:NVDid:CVE-2021-30690date:2021-09-08T15:15:14.797