Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-4438 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Icloud

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer13 documents8 sources

Severity

8.8HIGHNVD

EPSS

22.6%

top 4.14%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apple Icloud Apple Iphone OS Apple Itunes +3 more

Timeline

PublishedApr 3

Latest updateMay 14

Description

A logic issue existed resulting in memory corruption. This was addressed with improved state management. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDapple/tvos< 12.1.1

▶NVDapple/icloud< 7.9

▶NVDapple/itunes< 12.9.2

▶NVDapple/safari< 12.0.2

▶NVDapple/watchos< 5.1.2

🔴Vulnerability Details

GHSA

GHSA-6mmf-48v9-cph4: A logic issue existed resulting in memory corruption↗2022-05-14

▶

Project0

JSC Exploits - Project Zero↗2019-08-01

▶

OSV

CVE-2018-4438: A logic issue existed resulting in memory corruption↗2019-04-03

▶

CVEList

CVE-2018-4438: A logic issue existed resulting in memory corruption↗2019-04-03

▶

💥Exploits & PoCs

Exploit-DB

WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains↗2018-12-13

▶

📋Vendor Advisories

Apple

CVE-2018-4438: watchOS 5.1.2↗2018-12-06

▶

Apple

CVE-2018-4438: tvOS 12.1.1↗2018-12-05

▶

Apple

CVE-2018-4438: iOS 12.1.1↗2018-12-05

▶

Apple

CVE-2018-4438: iTunes 12.9.2 for Windows↗2018-12-05

▶

Apple

CVE-2018-4438: Safari 12.0.2↗2018-12-05

▶