Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2020-9850

Published: 09/06/2020 Updated: 09/01/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 790
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apple

Vulnerability Summary

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. A remote attacker may be able to cause arbitrary code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple icloud

apple itunes

apple safari

apple iphone os

apple watchos

apple tvos

apple ipados

Vendor Advisories

Debian Security Advisories: DSA-4724-1 webkit2gtk -- security update
The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-9802 Samuel Gross discovered that processing maliciously crafted web content may lead to arbitrary code execution CVE-2020-9803 Wen Xu discovered that processing maliciously crafted web content may lead to arbitrary code execution CVE-2020-9 ...
Red Hat: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update
Synopsis Moderate: OpenShift Container Platform 46 compliance-operator security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container ...
Red Hat: Moderate: GNOME security, bug fix, and enhancement update
Synopsis Moderate: GNOME security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for GNOME is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...
Red Hat: Moderate: Red Hat Quay v3.3.3 bug fix and security update
Synopsis Moderate: Red Hat Quay v333 bug fix and security update Type/Severity Security Advisory: Moderate Topic Red Hat Quay v333 is now available with bug fixes and security updatesRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring S ...
Red Hat: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update
Synopsis Moderate: OpenShift Container Platform 46 compliance-operator security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container ...
Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update
Synopsis Moderate: OpenShift Container Platform 4103 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Moderate: Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update
Synopsis Moderate: Red Hat OpenShift Container Storage 460 security, bug fix, enhancement update Type/Severity Security Advisory: Moderate Topic Updated images are now available for Red Hat OpenShift Container Storage 460 on Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ha ...
Red Hat: Important: Service Telemetry Framework 1.4 security update
Synopsis Important: Service Telemetry Framework 14 security update Type/Severity Security Advisory: Important Topic An update is now available for Service Telemetry Framework 14 for RHEL 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...
Arch Linux Issues:
Severity Unknown Remote Unknown Type Unknown Description AVG-1203 webkit2gtk 2282-2 2283-1 Unknown Fixed ...
Check Point Security Alerts: Apple Multiple Products Type Confusion (CVE-2020-9850)
Check Point Reference: CPAI-2020-4082 Date Published: 3 Dec 2023 Severity: Critical ...

Exploits

Exploit DB: Safari Type Confusion / Sandbox Escape
This Metasploit module exploits an incorrect side-effect modeling of the 'in' operator The DFG compiler assumes that the 'in' operator is side-effect free, however the embed element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850) The type confusion can be used as addrof and fakeobj p ...
Exploit DB: Safari in Operator Side Effect Exploit
This module exploits an incorrect side-effect modeling of the 'in' operator The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850) The type confusion can be used ...

Mailing Lists

Full Disclosure: APPLE-SA-2020-05-26-10 iCloud for Windows 7.19
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2020-05-26-10 iCloud for Windows 719 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Apple Prod ...
Full Disclosure: APPLE-SA-2020-05-26-4 tvOS 13.4.5
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2020-05-26-4 tvOS 1345 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Apple Product Security ...

Metasploit Modules

Safari in Operator Side Effect Exploit

This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.

msf > use exploit/osx/browser/safari_in_operator_side_effect
msf exploit(safari_in_operator_side_effect) > show targets
    ...targets...
msf exploit(safari_in_operator_side_effect) > set TARGET < target-id >
msf exploit(safari_in_operator_side_effect) > show options
    ...show and set options...
msf exploit(safari_in_operator_side_effect) > exploit

Recent Articles

You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, too
The Register • Shaun Nichols in San Francisco • 28 May 2020

Patch Thursday is for you, Patch Tuesday is for everyone else Apple promises third, no, fourth, er, fifth time's a charm when it comes to macOS Catalina: 10.15.5 now out

Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can. For Safari, there are nine CVE-listed patches in version 13.1.1. Six address malicious code execution (CVE-2020-9802, CVE-2020-9800, CVE-2020-9806, CVE-2020-9807, CVE-2020-9850, CVE-2020-9803) that can be achieved by opening a booby-trapped webpage or similar. These were found separately by Samuel Groß of Google Project Zero; Brendan Draper workin...

Read more...

References

NVD-CWE-Otherhttps://support.apple.com/HT211177https://support.apple.com/HT211178https://support.apple.com/HT211168https://support.apple.com/HT211179https://support.apple.com/HT211181https://support.apple.com/HT211171https://support.apple.com/HT211175https://nvd.nist.govhttps://www.debian.org/security/2020/dsa-4724https://www.rapid7.com/db/modules/exploit/osx/browser/safari_in_operator_side_effect/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook