CVE-2021-30897 — Sensitive Information Exposure in Apple Macos

CWE-200 — Sensitive Information Exposure6 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Macos Apple Ipados Apple Iphone OS +3 more

Timeline

PublishedAug 24

Latest updateDec 20

Description

An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented. This issue is fixed in macOS Monterey 12.0.1. A malicious website may exfiltrate data cross-origin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶Appleapple/macos_monterey12.0.1

▶CVEListV5apple/macosunspecified — 12.0

▶NVDapple/macos< 12.0.1

▶NVDapple/tvos< 15.0

▶NVDapple/ipados< 15.0

🔴Vulnerability Details

OSV

CVE-2021-30897: An issue existed in the specification for the resource timing API↗2021-08-24

▶

📋Vendor Advisories

Red Hat

webkitgtk: Cross-origin data exfiltration via resource timing API↗2021-12-20

▶

Apple

CVE-2021-30897: macOS Monterey 12.0.1↗2021-10-25

▶

Apple

CVE-2021-30897: iOS 15 and iPadOS 15↗2021-09-20

▶

Apple

CVE-2021-30897: tvOS 15↗2021-09-20

▶