CVE-2024-54542
Published: 27 January 2025
Description
An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, watchOS 11.2. Private Browsing tabs may be accessed without authentication.
Security Summary
CVE-2024-54542 is an authentication vulnerability resulting from improper state management, classified under CWE-862 (Missing Authorization). It affects Safari prior to version 18.2, iOS prior to 18.2, iPadOS prior to 18.2, macOS Sequoia prior to 15.2, and watchOS prior to 11.2. The flaw allows Private Browsing tabs to be accessed without authentication, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
The vulnerability can be exploited by a remote attacker requiring no privileges or user interaction, enabling network-based attacks with low complexity. Exploitation grants high confidentiality impact through unauthorized access to Private Browsing tabs and high availability impact on the affected system.
Apple's security advisories confirm the issue was fixed via improved state management in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, and watchOS 11.2. Mitigation requires updating to these versions or later, with further details available at https://support.apple.com/en-us/121837, https://support.apple.com/en-us/121839, https://support.apple.com/en-us/121843, and https://support.apple.com/en-us/121846.
Details
- CWE(s)