CVE-2023-32402

Vulnerability

An out-of-bounds read vulnerability exists in the WebKit component of Apple's operating systems. Processing maliciously crafted web content can trigger the issue, leading to disclosure of sensitive information. The vulnerability is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, Safari 16.5, iOS 16.5, and iPadOS 16.5 [1][2][3][4]. No specific affected versions are disclosed beyond the fixed versions.

Exploitation

An attacker needs to convince a user to process malicious web content, for example by visiting a crafted website. No additional privileges or network position beyond serving the content is required. The exact sequence of steps is not detailed in the available references, but the vulnerability is triggered within WebKit's content processing pipeline.

Impact

Successful exploitation could lead to the disclosure of sensitive information from the user's device or browsing session (confidentiality impact). The scope is limited to the information accessible through the out-of-bounds read; there is no indication of privilege escalation or code execution. The impact is categorized as information disclosure.

Mitigation

Apple has addressed this issue by releasing the fixed versions mentioned above on May 18, 2023 [1][2][3][4]. Users should update their devices to the latest available operating system and Safari version via Software Update. No workarounds are provided by Apple.