CVE-2020-3846Improper Input Validation in Apple Icloud FOR Windows

CWE-20Improper Input ValidationCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-91XML Injection (aka Blind XPath Injection)3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.8%
top 26.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Apple Icloud FOR WindowsApple IOSApple Itunes FOR Windows+8 more
Timeline
PublishedFeb 27
Latest updateMay 24

Description

A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS 6.1.2, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages13 packages

CVEListV5apple/icloud_for_windowsunspecifiediCloud for Windows 11.0+1
CVEListV5apple/itunes_for_windowsunspecifiediTunes for Windows 12.10.4
NVDapple/icloud10.010.8+1
CVEListV5apple/tvosunspecifiedtvOS 13.3.1
NVDapple/tvos< 13.3.1

🔴Vulnerability Details

2
GHSA
GHSA-9gq3-q3gq-f9h8: A buffer overflow was addressed with improved size validation2022-05-24
CVEList
CVE-2020-3846: A buffer overflow was addressed with improved size validation2020-02-27
CVE-2020-3846 — Improper Input Validation in Apple | cvebase