Vulnerabilities > CVE-2020-3899 - Unspecified vulnerability in Apple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-7F34D2CFD8.NASL description Update to 2.28.2 : - Fix excessive CPU usage due to GdkFrameClock not being stopped. - Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. - Fix position of select popup menus in X11. - Fix playing of Youtube ‘live stream’/H264 URLs. - Fix several crashes and rendering issues. - Security fixes: CVE-2020-3899 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-12 modified 2020-05-07 plugin id 136380 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136380 title Fedora 31 : webkit2gtk3 (2020-7f34d2cfd8) NASL family Windows NASL id ITUNES_12_10_5.NASL description The version of Apple iTunes installed on the remote Windows host is prior to 12.10.5. It is, therefore, affected by multiple vulnerabilities as referenced in the HT211105 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-03-31 plugin id 135032 published 2020-03-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135032 title Apple iTunes < 12.10.5 Multiple Vulnerabilities (credentialed check) (HT211105) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1198-1.NASL description This update for webkit2gtk3 fixes the following issues : Security issue fixed : CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643). Non-security issues fixed : Update to version 2.28.2 (bsc#1170643) : + Fix excessive CPU usage due to GdkFrameClock not being stopped. + Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. + Fix position of select popup menus in X11. + Fix playing of Youtube last seen 2020-05-15 modified 2020-05-11 plugin id 136468 published 2020-05-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136468 title SUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2020:1198-1) NASL family Fedora Local Security Checks NASL id FEDORA_2020-BD170E803F.NASL description Update to 2.28.2 : - Fix excessive CPU usage due to GdkFrameClock not being stopped. - Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. - Fix position of select popup menus in X11. - Fix playing of Youtube ‘live stream’/H264 URLs. - Fix several crashes and rendering issues. - Security fixes: CVE-2020-3899 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-05-04 plugin id 136299 published 2020-05-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136299 title Fedora 30 : webkit2gtk3 (2020-bd170e803f) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4347-1.NASL description A large number of security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-30 plugin id 136172 published 2020-04-30 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136172 title Ubuntu 18.04 LTS / 19.10 / 20.04 : webkit2gtk vulnerability (USN-4347-1) NASL family Misc. NASL id APPLETV_13_4.NASL description According to its banner, the version of Apple TV on the remote device is prior to 13.4. It is therefore affected by multiple vulnerabilities as described in the HT211101 last seen 2020-04-30 modified 2020-04-21 plugin id 135855 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135855 title Apple TV < 13.4 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4681.NASL description The following vulnerability has been discovered in the webkit2gtk web engine : - CVE-2020-3885 Ryan Pickren discovered that a file URL may be incorrectly processed. - CVE-2020-3894 Sergei Glazunov discovered that a race condition may allow an application to read restricted memory. - CVE-2020-3895 grigoritchy discovered that processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2020-3897 Brendan Draper discovered that a remote attacker may be able to cause arbitrary code execution. - CVE-2020-3899 OSS-Fuzz discovered that a remote attacker may be able to cause arbitrary code execution. - CVE-2020-3900 Dongzhuo Zhao discovered that processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2020-3901 Benjamin Randazzo discovered that processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2020-3902 Yigit Can Yilmaz discovered that processing maliciously crafted web content may lead to a cross site scripting attack. last seen 2020-05-15 modified 2020-05-08 plugin id 136413 published 2020-05-08 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136413 title Debian DSA-4681-1 : webkit2gtk - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1211-1.NASL description This update for webkit2gtk3 fixes the following issues : Security issue fixed : CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643). Non-security issues fixed : Update to version 2.28.2 (bsc#1170643) : + Fix excessive CPU usage due to GdkFrameClock not being stopped. + Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. + Fix position of select popup menus in X11. + Fix playing of Youtube last seen 2020-05-21 modified 2020-05-15 plugin id 136651 published 2020-05-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136651 title SUSE SLES12 Security Update : webkit2gtk3 (SUSE-SU-2020:1211-1) NASL family Peer-To-Peer File Sharing NASL id ITUNES_12_10_5_BANNER.NASL description The version of Apple iTunes installed on the remote Windows host is prior to 12.10.5. It is, therefore, affected by multiple vulnerabilities as referenced in the HT211105 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-03-31 plugin id 135031 published 2020-03-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135031 title Apple iTunes < 12.10.5 Multiple Vulnerabilities (uncredentialed check) (HT211105) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-646.NASL description This update for webkit2gtk3 fixes the following issues : Security issue fixed : - CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643). Non-security issues fixed : - Update to version 2.28.2 (bsc#1170643) : + Fix excessive CPU usage due to GdkFrameClock not being stopped. + Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. + Fix position of select popup menus in X11. + Fix playing of Youtube last seen 2020-05-15 modified 2020-05-12 plugin id 136488 published 2020-05-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136488 title openSUSE Security Update : webkit2gtk3 (openSUSE-2020-646)
References
- https://support.apple.com/HT211101
- https://support.apple.com/HT211101
- https://support.apple.com/HT211102
- https://support.apple.com/HT211102
- https://support.apple.com/HT211104
- https://support.apple.com/HT211104
- https://support.apple.com/HT211105
- https://support.apple.com/HT211105
- https://support.apple.com/HT211106
- https://support.apple.com/HT211106
- https://support.apple.com/HT211107
- https://support.apple.com/HT211107