Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-4404 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Macos High Sierra 10.13.5 Security Update 2018-003 Sierra Security Update 2018-0

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer10 documents7 sources

Severity

8.8HIGHNVD

EPSS

70.2%

top 1.31%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apple Iphone OS Apple MAC OS X Apple IOS +3 more

Timeline

PublishedJan 11

Latest updateMay 30

Description

In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶Appleapple/macos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0

▶NVDapple/mac_os_x10.13.0 — 10.13.5

▶NVDapple/iphone_os< 11.4

▶Appleapple/ios11.4

▶Appleapple/tvos11.4

🔴Vulnerability Details

GHSA

GHSA-gqp4-fjf3-jx5v: In iOS before 11↗2022-05-14

▶

VulnCheck

Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer↗2018

▶

💥Exploits & PoCs

Exploit-DB

Safari - Proxy Object Type Confusion (Metasploit)↗2018-12-14

▶

Metasploit

Safari Proxy Object Type Confusion↗

▶

📋Vendor Advisories

Apple

CVE-2018-4404: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan↗2018-06-01

▶

Apple

CVE-2018-4404: tvOS 11.4↗2018-05-29

▶

Apple

CVE-2018-4404: iOS 11.4↗2018-05-29

▶

Apple

CVE-2018-4404: watchOS 4.3.1↗2018-05-29

▶

🕵️Threat Intelligence

Bleepingcomputer

macOS version of elusive 'LightSpy' spyware tool discovered↗2024-05-30

▶