⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-1870Improper Use of Validation Framework in Apple IOS AND Ipados

CWE-1173Improper Use of Validation FrameworkCWE-20Improper Input Validation17 documents13 sources
Severity
9.8CRITICALNVD
EPSS
1.2%
top 21.48%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Apple IOS AND IpadosApple MacosApple Ipados+4 more
Timeline
PublishedApr 2
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

CVEListV5apple/macosunspecified11.2
NVDapple/macos11.0.111.2
NVDapple/ipados< 14.4
NVDapple/mac_os_x10.1510.15.7+1
CVEListV5apple/ios_and_ipadosunspecified14.4

Also affects: Fedora 32, 33

🔴Vulnerability Details

5
GHSA
GHSA-f8fh-g8mv-p7hh: A logic issue was addressed with improved restrictions2022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
OSV
CVE-2021-1870: A logic issue was addressed with improved restrictions2021-04-02
CVEList
CVE-2021-1870: A logic issue was addressed with improved restrictions2021-04-02
VulnCheck
Apple iOS, iPadOS, and macOS WebKit Remote Code Execution Vulnerability2021

📋Vendor Advisories

6
CISA
Apple iOS, iPadOS, and macOS WebKit Remote Code Execution Vulnerability2021-11-03
Ubuntu
WebKitGTK vulnerabilities2021-03-29
Red Hat
webkitgtk: Logic issue leading to arbitrary code execution2021-03-22
Apple
CVE-2021-1870: macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave2021-02-01
Apple
CVE-2021-1870: iOS 14.4 and iPadOS 14.42021-01-26

🕵️Threat Intelligence

5
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices2021-10-18
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys2021-10-18
Tenable
CVE-2021-21148: Google Chrome Heap Buffer Overflow Vulnerability Exploited in the Wild2021-02-05
CVE-2021-1870 — Improper Use of Validation Framework | cvebase