CVE-2024-23254
Published: March 20, 2024Last modified: November 6, 2024
Description
The issue was addressed with improved UI handling. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, Safari 17.4. A malicious website may exfiltrate audio data cross-origin.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | NONE |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Liberica JDK | 8 | jdk-full | Fixed (8u432+7) |
| jre-full | Fixed (8u432+7) | ||
| 11 | jdk-full | Fixed (11.0.25+11) | |
| jre-full | Fixed (11.0.25+11) | ||
| 17 | jdk-full | Fixed (17.0.13+12) | |
| jre-full | Fixed (17.0.13+12) | ||
| 21 | jdk-full | Fixed (21.0.5+11) | |
| jre-full | Fixed (21.0.5+11) | ||
| 23 | jdk-full | Fixed (23.0.1+13) | |
| jre-full | Fixed (23.0.1+13) | ||
| Liberica NIK | 23 (JDK 17) | full | Fixed (23.0.6+1) |
| 23 (JDK 21) | full | Fixed (23.1.5+1) | |
| 24 (JDK 23) | full | Fixed (24.1.1+1) |
References
- http://seclists.org/fulldisclosure/2024/Mar/20
- http://seclists.org/fulldisclosure/2024/Mar/21
- http://seclists.org/fulldisclosure/2024/Mar/24
- http://seclists.org/fulldisclosure/2024/Mar/25
- http://seclists.org/fulldisclosure/2024/Mar/26
- http://www.openwall.com/lists/oss-security/2024/03/26/1
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IXLXIOAH5S7J22LJTCIAVFVVJ4TESAX4/
- https://support.apple.com/en-us/HT214081
- https://support.apple.com/en-us/HT214084
- https://support.apple.com/en-us/HT214086
- https://support.apple.com/en-us/HT214087
- https://support.apple.com/en-us/HT214088
- https://support.apple.com/en-us/HT214089