⚠ Actively exploited
Added to CISA KEV on 2022-05-04. Federal agencies required to patch by 2022-05-25. Required action: Apply updates per vendor instructions..

CVE-2019-8506Type Confusion in Apple Icloud FOR Windows

CWE-843Type ConfusionCWE-94Code Injection22 documents12 sources
Severity
8.8HIGHNVD
EPSS
8.1%
top 7.85%
CISA KEV
KEV
Added 2022-05-04
Due 2022-05-25
Exploit
Exploited in wild
Active exploitation observed
Affected products
12
Apple Icloud FOR WindowsApple IOSApple Itunes FOR Windows+9 more
Timeline
PublishedDec 18
KEV addedMay 4
Latest updateMay 24
KEV dueMay 25
CISA Required Action: Apply updates per vendor instructions.

Description

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11. Processing maliciously crafted web content may lead to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages15 packages

CVEListV5apple/icloud_for_windowsunspecifiediCloud for Windows 7.11
CVEListV5apple/itunes_for_windowsunspecifiediTunes 12.9.4 for Windows
CVEListV5apple/tvosunspecifiedtvOS 12.2
NVDapple/tvos< 12.2
CVEListV5apple/safariunspecifiedSafari 12.1

🔴Vulnerability Details

4
GHSA
GHSA-fg7h-q67h-82rg: A type confusion issue was addressed with improved memory handling2022-05-24
OSV
CVE-2019-8506: A type confusion issue was addressed with improved memory handling2019-12-18
CVEList
CVE-2019-8506: A type confusion issue was addressed with improved memory handling2019-12-18
VulnCheck
Apple Multiple Products Type Confusion Vulnerability2019

💥Exploits & PoCs

1
Exploit-DB
WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion2019-04-03

📋Vendor Advisories

10
CISA
Apple Multiple Products Type Confusion Vulnerability2022-05-04
Ubuntu
WebKitGTK+ vulnerabilities2019-04-16
Red Hat
webkitgtk: malicous web content leads to arbitrary code execution2019-04-10
Apple
CVE-2019-8506: watchOS 5.22019-03-27
Apple
CVE-2019-8506: tvOS 12.22019-03-25

💬Community

6
Bugzilla
CVE-2019-7285 CVE-2019-7292 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-8544 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 mingw-webkitgtk: v2019-06-11
Bugzilla
CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-8544 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 webk2019-06-11
Bugzilla
CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-8544 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 ming2019-06-11
Bugzilla
CVE-2019-8506 webkitgtk: malicous web content leads to arbitrary code execution2019-06-11
Bugzilla
CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-8544 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 ming2019-06-11
CVE-2019-8506 — Type Confusion in Apple | cvebase