CVE-2022-46718

Vulnerability

A logic issue in the Location Services subsystem on Apple platforms allowed an app to read sensitive location information without proper authorization. This affects iOS and iPadOS versions before 15.7.2, macOS Ventura before 13.1, macOS Big Sur before 11.7.2, and macOS Monterey before 12.6.2 [1][2][3][4].

Exploitation

An attacker would need to have an app installed on the device that can access certain location-related APIs. The logic flaw could then be exploited to bypass the intended restrictions and read sensitive location data without user consent or beyond the app's entitlements.

Impact

Successful exploitation allows an app to read sensitive location information, leading to a breach of user privacy and confidentiality of location data. No other impacts such as code execution or privilege escalation are associated with this vulnerability.

Mitigation

Apple addressed the issue with improved restrictions in the following software updates released on December 13, 2022: iOS 15.7.2 and iPadOS 15.7.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, and macOS Monterey 12.6.2 [1][2][3][4]. Users should update to the latest available versions. No workarounds are available for unpatched systems.