CVE-2019-8901 — Improper Verification of Cryptographic Signature in Apple IOS AND Ipados

CWE-347 — Improper Verification of Cryptographic Signature3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 64.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Ipados Apple Iphone OS +1 more

Timeline

PublishedOct 27

Latest updateMay 24

Description

This issue was addressed by verifying host keys when connecting to a previously-known SSH server. This issue is fixed in iOS 13.1 and iPadOS 13.1. An attacker in a privileged network position may be able to intercept SSH traffic from the “Run script over SSH” action.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDapple/ipados< 13.1

▶CVEListV5apple/ios_and_ipadosunspecified — 13.1

▶Appleapple/ios_13.1_and_ipados13.1

▶NVDapple/iphone_os< 13.1

🔴Vulnerability Details

GHSA

GHSA-4v9x-x766-gmm3: This issue was addressed by verifying host keys when connecting to a previously-known SSH server↗2022-05-24

▶

📋Vendor Advisories

Apple

CVE-2019-8901: iOS 13.1 and iPadOS 13.1↗2019-09-24

▶