Cyber Resilience

CVE-2022-22639

High

Published: 18 March 2022

Published
18 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0768 92.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22639 is a high-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A logic issue in state management affected Apple's iOS, iPadOS, and macOS platforms, allowing an application to obtain elevated privileges. The flaw was present in versions prior to iOS 15.4, iPadOS 15.4, and macOS Monterey 12.3 and carried a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, no required privileges, and required user interaction.

An attacker can exploit the vulnerability by supplying a malicious application that the victim must run; successful exploitation grants the app high-impact access to confidentiality, integrity, and availability on the device without additional authentication.

Apple security advisories HT213182 and HT213183 state that the issue is resolved by improved state management in the releases noted above, so mitigation consists of installing iOS 15.4, iPadOS 15.4, or macOS Monterey 12.3 or later.

The associated EPSS score has remained flat at 0.0768 with no material increase after disclosure.

EU & UK References

Vulnerability details

A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 15.4
apple
iphone os
≤ 15.4
apple
macos
≤ 12.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References