CVE-2023-32422

Vulnerability

A privacy issue existed in SQLite logging on Apple platforms. This allowed an app to bypass system Privacy preferences by accessing private data that was not properly redacted in log entries. The issue affected iOS 16.5 and iPadOS 16.5, tvOS 16.5, macOS Ventura 13.4, and earlier versions [1][2][4].

Exploitation

An attacker would need to have a malicious app installed on the device. No additional authentication or network access is required beyond the app's existing capabilities. The app could then access log entries containing private data that should have been restricted by Privacy preferences [1][2].

Impact

A successful exploit allows the app to bypass Privacy preferences, potentially gaining access to sensitive user information that the system intended to protect. This compromises user privacy by leaking data that should not be accessible to arbitrary apps [1][2].

Mitigation

Apple addressed the issue in the following releases: macOS Ventura 13.4, iOS 16.5 and iPadOS 16.5, tvOS 16.5, and macOS Monterey 12.6.8 (released July 24, 2023) [1][2][3][4]. Users should update their devices to the latest available versions. No workarounds are documented.