Vulnerability Name:

CVE-2022-22589 (CCN-218142)

Assigned:2022-01-26
Published:2022-01-26
Updated:2022-10-06
Summary:A validation issue was addressed with improved input sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing a maliciously crafted mail message may lead to running arbitrary javascript.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.6 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H)
6.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
CWE-1173
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-22589

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6

Source: XF
Type: UNKNOWN
apple-watchos-cve202222589-code-exec(218142)

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-39

Source: CCN
Type: Apple security document HT213053
About the security content of iOS 15.3 and iPadOS 15.3

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT213053

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT213054

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT213057

Source: CCN
Type: Apple security document HT213058
About the security content of Safari 15.3

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT213058

Source: CCN
Type: Apple security document HT213059
About the security content of watchOS 8.4

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT213059

Source: CCN
Type: Apple security document HT213255
About the security content of Security Update 2022-004 Catalina

Source: CCN
Type: Apple security document HT213256
About the security content of macOS Big Sur 11.6.6

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/kb/HT213185

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/kb/HT213255

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/kb/HT213256

Vulnerable Configuration:Configuration 1:
  • cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:* (Version >= 10.15 and < 10.15.7)
  • OR cpe:/o:apple:mac_os_x:10.15.7:supplemental_update:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-005:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-007:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version < 15.3)
  • OR cpe:/o:apple:tvos:*:*:*:*:*:*:*:* (Version < 15.3)
  • OR cpe:/o:apple:watchos:*:*:*:*:*:*:*:* (Version < 8.4)
  • OR cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version < 15.3)
  • OR cpe:/o:apple:ipados:*:*:*:*:*:*:*:* (Version < 15.3)
  • OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.2)
  • OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.6.6)
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:apple:watchos:8.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8033
    P
    		libjavascriptcoregtk-5_0-0-2.38.6-150400.4.39.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7603
    P
    		libjavascriptcoregtk-4_0-18-2.38.6-150400.4.39.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7941
    P
    		libjavascriptcoregtk-4_1-0-2.38.6-150400.4.39.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3401
    P
    		xen-4.12.1_06-1.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3018
    P
    		augeas-1.10.1-2.6 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3320
    P
    		pam_yubico-2.26-1.25 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94648
    P
    		libjavascriptcoregtk-4_0-18-2.36.0-150400.2.13 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94950
    P
    		libjavascriptcoregtk-4_1-0-2.36.0-150400.2.13 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95031
    P
    		libjavascriptcoregtk-5_0-0-2.36.0-150400.2.12 on GA media (Moderate)
    2022-06-22
    oval:com.redhat.rhsa:def:20221777
    P
    		RHSA-2022:1777: webkit2gtk3 security, bug fix, and enhancement update (Moderate)
    2022-05-10
    oval:org.opensuse.security:def:119014
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:101647
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:119687
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:1088
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:119125
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:101766
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:119319
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:118824
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:119502
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:955
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:127369
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-03
    oval:org.opensuse.security:def:5358
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-03
    oval:org.opensuse.security:def:125808
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-03
    oval:org.opensuse.security:def:6178
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-03
    oval:org.opensuse.security:def:126971
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-03
    BACK
    apple mac os x *
    apple mac os x 10.15.7 supplemental_update
    apple mac os x 10.15.7 security_update_2020-005
    apple mac os x 10.15.7 security_update_2020-007
    apple mac os x 10.15.7 -
    apple mac os x 10.15.7 security_update_2020-001
    apple mac os x 10.15.7 security_update_2020
    apple mac os x 10.15.7 security_update_2021-001
    apple mac os x 10.15.7 security_update_2021-002
    apple safari *
    apple tvos *
    apple watchos *
    apple iphone os *
    apple ipados *
    apple macos *
    apple macos *
    apple mac os x 10.15.7 security_update_2021-003
    apple mac os x 10.15.7 security_update_2021-006
    apple mac os x 10.15.7 security_update_2021-007
    apple mac os x 10.15.7 security_update_2021-008
    apple mac os x 10.15.7 security_update_2022-001
    apple mac os x 10.15.7 security_update_2022-002
    apple watchos 8.3