Apple Multiple Products Improper Certificate Validation Vulnerability
Summary
| CVE | CVE-2023-41991 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-21 19:15:00 UTC |
| Updated | 2023-11-07 04:21:00 UTC |
| Description | A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. |
Risk And Classification
EPSS: 0.032170000 probability, percentile 0.869890000 (date 2026-04-01)
CISA KEV: Listed on 2023-09-25; due 2023-10-16; ransomware use Unknown
Problem Types: CWE-295
CISA Known Exploited Vulnerability
| Vendor | Apple |
|---|---|
| Product | Multiple Products |
| Name | Apple Multiple Products Improper Certificate Validation Vulnerability |
| Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| Notes | https://support.apple.com/en-us/HT213926, https://support.apple.com/en-us/HT213927, https://support.apple.com/en-us/HT213928, https://support.apple.com/en-us/HT213929, https://support.apple.com/en-us/HT213931 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41991 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Apple | Ipados | All | All | All | All |
| Operating System | Apple | Ipados | 17.0 | All | All | All |
| Operating System | Apple | Ipad Os | All | All | All | All |
| Operating System | Apple | Ipad Os | 17.0 | All | All | All |
| Operating System | Apple | Iphone Os | All | All | All | All |
| Operating System | Apple | Iphone Os | 17.0 | All | All | All |
| Operating System | Apple | Macos | All | All | All | All |
| Operating System | Apple | Watchos | All | All | All | All |
| Operating System | Apple | Watchos | 10.0.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| About the security content of watchOS 9.6.3 - Apple Support | MISC | support.apple.com | |
| About the security content of iOS 16.7 and iPadOS 16.7 - Apple Support | MISC | support.apple.com | |
| seclists.org/fulldisclosure/2023/Sep/14 | MISC | seclists.org | |
| About the security content of iOS 17.0.1 and iPadOS 17.0.1 - Apple Support | MISC | support.apple.com | |
| support.apple.com/kb/HT213926 | MISC | support.apple.com | |
| About the security content of watchOS 10.0.1 - Apple Support | MISC | support.apple.com | |
| Full Disclosure: APPLE-SA-2023-09-21-5 watchOS 9.6.3 | MISC | seclists.org | |
| Full Disclosure: APPLE-SA-09-26-2023-3 Additional information for APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7 | seclists.org | ||
| Full Disclosure: APPLE-SA-09-26-2023-4 Additional information for APPLE-SA-2023-09-21-6 macOS Ventura 13.6 | MISC | seclists.org | |
| About the security content of macOS Ventura 13.6 - Apple Support | MISC | support.apple.com | |
| Full Disclosure: APPLE-SA-2023-09-21-6 macOS Ventura 13.6 | MISC | seclists.org | |
| Full Disclosure: APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7 | MISC | seclists.org | |
| Full Disclosure: APPLE-SA-2023-09-21-4 watchOS 10.0.1 | MISC | seclists.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.