A vulnerability classified as problematic has been found in Apple macOS up to 10.15.3 (Operating System). Affected is an unknown functionality of the component Call History. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. CVE summarizes:

This issue was addressed with a new entitlement. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to access a user's call history.

The weakness was released 03/24/2020 as HT211100 as confirmed advisory (Website). The advisory is shared for download at support.apple.com. This vulnerability is traded as CVE-2020-9776. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592. The advisory points out:

This issue was addressed with a new entitlement.

Upgrading to version 10.15.4 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Entries connected to this vulnerability are available at 152486, 152487, 152488 and 152489.

Productinfo

Type

• Operating System

Vendor

• Apple

Name

• macOS

Version

• 10.15.0
• 10.15.1
• 10.15.2
• 10.15.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion