CVE-2023-37450
Published: 27 July 2023
Summary
CVE-2023-37450 is a high-severity an unspecified weakness vulnerability in Apple Safari. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 22.3th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-37450 is a vulnerability in Apple's WebKit-based web content processing engine that was addressed through improved input validation checks. It affects multiple Apple platforms and is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, and watchOS 9.6. The flaw permits arbitrary code execution when a victim processes malicious web content, carrying a CVSS 3.1 base score of 8.8.
An unauthenticated remote attacker can exploit the issue by serving specially crafted web content that the target renders in Safari or any WebKit-based application. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the affected process, potentially leading to full device compromise. The attack requires the victim to visit a malicious site or view attacker-controlled content, consistent with the network-attack vector and user-interaction requirement in the CVSS scoring.
Apple security advisories HT213826, HT213841, HT213843, and HT213846 recommend immediate installation of the listed updates. The vendor states it is aware of reports indicating the vulnerability has been actively exploited in the wild. The current EPSS score remains low at 0.0007 with no material upward trajectory reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41350
Vulnerability details
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, watchOS 9.6. Processing web content may lead to arbitrary code execution. Apple is aware of a…
more
report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 13 July 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the web-content parsing flaw before exploitation occurs.
Mandates input validation on untrusted web content, matching the vendor's fix of improved checks that block the arbitrary-code path.
Requires malicious-code detection and blocking mechanisms that can intercept or alert on the code-execution payload delivered via crafted web content.