CVE-2022-22652 — Missing Authentication for Critical Function in Apple IOS AND Ipados

CWE-306 — Missing Authentication for Critical Function CWE-668 — Resource Exposure3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 80.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Ipados Apple Iphone OS +1 more

Timeline

PublishedMar 18

Latest updateMar 19

Description

The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 0.9 | Impact: 5.2

Affected Packages4 packages

▶NVDapple/ipados< 15.4

▶CVEListV5apple/ios_and_ipadosunspecified — 15.4

▶Appleapple/ios_15.4_and_ipados15.4

▶NVDapple/iphone_os< 15.4

🔴Vulnerability Details

GHSA

GHSA-mmw9-5m6w-w9p6: The GSMA authentication panel could be presented on the lock screen↗2022-03-19

▶

📋Vendor Advisories

Apple

CVE-2022-22652: iOS 15.4 and iPadOS 15.4↗2022-03-14

▶