CVE-2022-32875

Vulnerability

A logic issue in state management within Apple operating systems allows an app to read sensitive location information. The vulnerability affects macOS Big Sur before 11.7, macOS Monterey before 12.6, macOS Ventura before 13, iOS before 16, and watchOS before 9 [1][2][3][4]. The issue was addressed with improved state management.

Exploitation

An attacker requires the ability to install and run a malicious or compromised app on the target device. No additional privileges or user interaction beyond normal app installation are needed. The app can exploit the logic flaw to access location data that should be protected, potentially without triggering location permission prompts.

Impact

Successful exploitation results in unauthorized disclosure of sensitive location information. The app gains access to the device's location data, violating user privacy. The impact is limited to information disclosure; no code execution or privilege escalation is reported.

Mitigation

Apple has fixed the issue in the following releases: iOS 16 (September 12, 2022) [1], watchOS 9 (September 12, 2022) [3], macOS Monterey 12.6 (September 12, 2022) [4], macOS Big Sur 11.7 (September 12, 2022) [not explicitly referenced but implied by the description], and macOS Ventura 13 (October 24, 2022) [2]. Users should update to these versions or later. No workarounds are available.