CVE-2023-28191

Vulnerability

A privacy vulnerability exists in Apple's operating systems where log entries may contain sensitive data that is not properly redacted, allowing an app to bypass Privacy preferences. This affects watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5, and iPadOS 16.5 [1][2][3][4].

Exploitation

An attacker would need to have an app installed on the device. The app could access log entries that inadvertently contain private information due to insufficient redaction. No special user interaction beyond installing the app is required, and no additional privileges are needed beyond normal app sandbox restrictions [1][2].

Impact

A malicious app could gain access to sensitive information that should be protected by Privacy preferences, such as location, contacts, or other private data. This could lead to disclosure of private information without user consent [1][2].

Mitigation

Apple has released patches in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5, and iPadOS 16.5 on May 18, 2023. Users should update their devices to the latest available versions [1][2][3][4]. There are no known workarounds; updating is the recommended mitigation.