Apple macOS up to 13.0 Ruby unexpected data type

Summaryinfo

A vulnerability has been found in Apple macOS and classified as critical. The affected element is an unknown function of the component Ruby. The manipulation leads to an unknown weakness. This vulnerability is documented as CVE-2022-29181. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Apple macOS (Operating System) and classified as critical. This issue affects an unknown part of the component Ruby. Using CWE to declare the problem leads to CWE-241. The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). Impacted is confidentiality, integrity, and availability.

The weakness was released 12/13/2022 as HT213532 as confirmed advisory (Website). It is possible to read the advisory at support.apple.com. The identification of this vulnerability is CVE-2022-29181. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The advisory points out:

A remote user may be able to cause unexpected app termination or arbitrary code execution

The vulnerability scanner Nessus provides a plugin with the ID 242573 (Ubuntu 20.04 LTS / 22.04 LTS : Nokogiri vulnerabilities (USN-7659-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 13.1 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:

This issue was addressed with improved checks.

The vulnerability is also documented in the vulnerability database at Tenable (242573). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Apple

Name

• macOS

Version

• 5.3
• 5.11
• 10.8.5
• 10.9.5
• 10.10
• 10.10.1
• 10.10.2
• 10.10.3
• 10.12
• 10.12.0
• 10.12.1
• 10.12.2
• 10.12.3
• 10.12.4
• 10.12.5
• 10.12.6
• 10.13
• 10.13.0
• 10.13.1
• 10.13.2
• 10.13.3
• 10.13.4
• 10.13.5
• 10.13.5 2018-003
• 10.13.6
• 10.14
• 10.14.1
• 10.14.2
• 10.14.4
• 10.14.5
• 10.14.6
• 10.15
• 10.15.0
• 10.15.1
• 10.15.2
• 10.15.3
• 10.15.4
• 10.15.5
• 10.15.6
• 10.15.7
• 11.0.1
• 11.1
• 11.2
• 11.2.1
• 11.2.3
• 11.3
• 11.3.1
• 11.4
• 11.5
• 11.6
• 11.6.6
• 11.7
• 11.7.3
• 11.7.5
• 11.7.9
• 12.0.1
• 12.1
• 12.2
• 12.2.1
• 12.3
• 12.3.1
• 12.4
• 12.5
• 12.5.1
• 12.6
• 12.6.2
• 12.6.3
• 12.6.4
• 12.6.7
• 12.6.8
• 12.7
• 12.7.1
• 12.7.5
• 12.7.6
• 13
• 13.0

License

• commercial

Website

• Vendor: https://www.apple.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion