⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-30663 — Integer Overflow or Wraparound in Apple Macos

CWE-190 — Integer Overflow or Wraparound CWE-20 — Improper Input Validation22 documents14 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 28.44%

CISA KEV

KEV

Added 2021-11-03

Due 2021-11-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple Macos Apple Ipados Apple Iphone OS +2 more

Timeline

PublishedSep 8

KEV addedNov 3

KEV dueNov 17

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDapple/tvos< 14.6

▶CVEListV5apple/macosunspecified — 11.3+4

▶NVDapple/macos11.0 — 11.3.1

▶NVDapple/ipados14.0 — 14.5.1

▶NVDapple/safari< 14.1.1

🔴Vulnerability Details

GHSA

GHSA-5g93-pf3w-6f59: An integer overflow was addressed with improved input validation↗2022-05-24

▶

Project0

The More You Know, The More You Know You Don’t Know - Project Zero↗2022-04-01

▶

OSV

CVE-2021-30663: An integer overflow was addressed with improved input validation↗2021-09-08

▶

CVEList

CVE-2021-30663: An integer overflow was addressed with improved input validation↗2021-09-08

▶

VulnCheck

Apple Multiple Products WebKit Integer Overflow Vulnerability↗2021

▶

📋Vendor Advisories

CISA

Apple Multiple Products WebKit Integer Overflow Vulnerability↗2021-11-03

▶

Ubuntu

WebKitGTK vulnerabilities↗2021-07-28

▶

Red Hat

webkitgtk: Integer overflow leading to arbitrary code execution↗2021-07-28

▶

Apple

CVE-2021-30663: Safari 14.1.1↗2021-05-24

▶

Apple

CVE-2021-30663: tvOS 14.6↗2021-05-24

▶

🕵️Threat Intelligence

Qualys

Qualys Response to CISA Alert: Binding Operational Directive 22-01↗2021-11-09

▶

Qualys

Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys↗2021-11-09

▶

Qualys

Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices↗2021-10-18

▶

Qualys

Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys↗2021-10-18

▶

Securelist

IT threat evolution in Q2 2021. PC statistics↗2021-08-12

▶

📐Framework References

CWE

Improper Input Validation↗

▶

CWE

Integer Overflow or Wraparound↗

▶