CVE-2022-22639
Published: 18 March 2022
Summary
CVE-2022-22639 is a high-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A logic issue in state management affected Apple's iOS, iPadOS, and macOS platforms, allowing an application to obtain elevated privileges. The flaw was present in versions prior to iOS 15.4, iPadOS 15.4, and macOS Monterey 12.3 and carried a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, no required privileges, and required user interaction.
An attacker can exploit the vulnerability by supplying a malicious application that the victim must run; successful exploitation grants the app high-impact access to confidentiality, integrity, and availability on the device without additional authentication.
Apple security advisories HT213182 and HT213183 state that the issue is resolved by improved state management in the releases noted above, so mitigation consists of installing iOS 15.4, iPadOS 15.4, or macOS Monterey 12.3 or later.
The associated EPSS score has remained flat at 0.0768 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27784
Vulnerability details
A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.