CVE-2023-28204
Published: 23 June 2023
Summary
CVE-2023-28204 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Apple Ipados. Its CVSS base score is 6.5 (Medium).
Operationally, ranked at the 23.0th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An out-of-bounds read vulnerability, tracked as CVE-2023-28204 and assigned CWE-125, affects Apple's web content processing components in Safari and multiple operating systems. The flaw was addressed through improved input validation and impacts watchOS before 9.5, tvOS before 16.5, macOS Ventura before 13.4, iOS and iPadOS before 15.7.6 or 16.5, and Safari before 16.5. With a CVSS 3.1 score of 6.5, the issue resides in network-accessible code that handles untrusted web content.
An unauthenticated remote attacker can trigger the vulnerability by causing a victim to process malicious web content, resulting in disclosure of sensitive information from the affected device. Exploitation requires user interaction such as visiting a crafted web page but needs no privileges on the target system.
Apple security advisories for the fixed releases (HT213757, HT213758, HT213761, and HT213762) recommend immediate installation of the listed updates. The vendor states it is aware of reports indicating the issue may have been actively exploited in the wild. The current EPSS score remains low at 0.0008 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31912
Vulnerability details
An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information.…
more
Apple is aware of a report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 22 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the root cause by enforcing improved input validation on untrusted web content before processing.
Requires timely application of vendor patches that remediate the out-of-bounds read in web-content components.
Enables monitoring specifically for unauthorized information disclosure resulting from exploitation of the flaw.