CVE-2023-32408

Vulnerability

A privacy issue exists in the cache handling of multiple Apple operating systems, allowing an app to read sensitive location information. The vulnerability affects watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5, as well as Apple TV 4K (all models) and Apple TV HD. The issue is addressed with improved handling of caches [1][2][3][4].

Exploitation

An attacker would need to have an app installed on the affected device. No additional privileges or user interaction beyond typical app installation are described as required. The app can then exploit the cache handling flaw to bypass Privacy preferences and read sensitive location information [1][2].

Impact

A successful exploitation allows the malicious app to read sensitive location information that should have been protected by Privacy preferences. This results in unauthorized disclosure of the user's location data, compromising confidentiality [1][2][3][4].

Mitigation

Apple has released patches in the following versions: watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5, all released on May 18, 2023. Users should update their devices to these versions to mitigate the vulnerability [1][2][3][4].