Cyber Resilience

CVE-2023-38571

High

Published: 28 July 2023

Published
28 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.1107 93.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38571 is a high-severity an unspecified weakness vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-38571 is a symlink validation weakness that affects multiple macOS releases. The flaw resides in the handling of symbolic links used by the Privacy preferences mechanism and was corrected by improved validation checks in macOS Big Sur 11.7.9, macOS Monterey 12.6.8, and macOS Ventura 13.5. Successful exploitation allows an application to circumvent the restrictions configured in Privacy preferences, producing a high-integrity impact without requiring user interaction.

An unauthenticated attacker can deliver or execute an application over the network that leverages the symlink issue to alter or evade privacy controls. Because the vulnerability carries a CVSS vector of AV:N/AC:L/PR:N/UI:N, the attack can be mounted remotely and does not depend on local user privileges or explicit user actions.

Apple security advisories HT213843, HT213844, and HT213845 describe the issue and direct administrators to install the listed macOS updates as the primary mitigation. The associated EPSS score has remained in a narrow band between 0.1107 and 0.1288 with no pronounced upward movement after disclosure.

EU & UK References

Vulnerability details

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Big Sur 11.7.9, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to bypass Privacy preferences.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
macos
≤ 11.7.9 · 12.0 — 12.6.8 · 13.0 — 13.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References