CVE-2021-1879
Published: 02 April 2021
Summary
CVE-2021-1879 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Apple Iphone Os. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 25.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).
Deeper analysis
The vulnerability CVE-2021-1879 is a cross-site scripting flaw (CWE-79) caused by insufficient management of object lifetimes during web content processing. It affects Apple iOS prior to versions 12.5.2 and 14.4.2, iPadOS prior to 14.4.2, and watchOS prior to 7.3.3, with a CVSS score of 6.1 reflecting network attack vector, low complexity, required user interaction, and scoped confidentiality and integrity impacts.
An attacker can exploit the issue by serving maliciously crafted web content that triggers universal cross-site scripting, allowing limited reading or modification of data across security boundaries on the affected device. The attack requires no authentication and can be delivered remotely, though user interaction such as visiting a web page is needed.
Apple security advisories for iOS 12.5.2, iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 state that the issue is resolved by the improved object lifetime handling in those updates. The vendor notes awareness of reports indicating the vulnerability has been actively exploited in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7343
Vulnerability details
This issue was addressed by improved management of object lifetimes. This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3. Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of…
more
a report that this issue may have been actively exploited..
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches (iOS 12.5.2/14.4.2, iPadOS 14.4.2, watchOS 7.3.3) that corrected the object-lifetime flaw.
Restricts execution of untrusted mobile code (WebKit/JavaScript) that is the delivery vector for the universal XSS payload.
Enforces information-flow boundaries between web-origin contexts, blocking the cross-site data access the flaw permits.