Cyber Resilience

CVE-2020-9934

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 16 October 2020

Published
16 October 2020
Modified
23 October 2025
KEV Added
08 September 2022
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0210 84.4th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-9934 is a medium-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 15.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

An issue existed in the handling of environment variables on Apple platforms. The vulnerability affected iOS, iPadOS, and macOS, and was addressed through improved validation of those variables. It is fixed in iOS 13.6, iPadOS 13.6, and macOS Catalina 10.15.6. The flaw carries a CVSS score of 5.5 and permits disclosure of sensitive user information.

A local user with low privileges can exploit the weakness without user interaction. By supplying crafted environment variables, an attacker can read confidential data that should otherwise remain protected from the local account.

Apple security advisories HT211288 and HT211289 describe the patches that resolve the issue in the listed operating system releases. The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 13.6
apple
iphone os
≤ 13.6
apple
mac os x
≤ 10.15.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by requiring validation of environment-variable inputs before they are used to access or expose sensitive data.

prevent

Enforces access-control decisions on sensitive information so that even a local process receiving crafted environment variables cannot disclose data the subject is not authorized to read.

prevent

Limits the privileges granted to local accounts, reducing the set of sensitive objects that could be reached through the environment-variable flaw.

References