CVE-2023-41993: Apple Multiple Products WebKit Code Execution Vulnerability
First published: Thu Sep 21 2023(Updated: )
Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.
Credit: product-security@apple.com product-security@apple.com product-security@apple.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple macOS Ventura | <13.6 | 13.6 |
| Apple Safari | <16.6.1 | 16.6.1 |
| Apple iOS | <17.0.1 | 17.0.1 |
| Apple iPadOS | <17.0.1 | 17.0.1 |
| Apple iOS | <16.7 | 16.7 |
| Apple iPadOS | <16.7 | 16.7 |
| Apple Safari | <17 | 17 |
| Apple Safari | <17.0 | |
| Apple iPadOS | <16.7 | |
| Apple iPhone OS | <16.7 | |
| Apple macOS | <14.0 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 | |
| ubuntu/webkit2gtk | <2.42.1-0ubuntu0.22.04.1 | 2.42.1-0ubuntu0.22.04.1 |
| ubuntu/webkit2gtk | <2.42.1-0ubuntu0.23.04.1 | 2.42.1-0ubuntu0.23.04.1 |
| ubuntu/webkit2gtk | <2.42.1 | 2.42.1 |
| debian/webkit2gtk | <=2.36.4-1~deb10u1<=2.38.6-0+deb10u1 | 2.42.2-1~deb11u1 2.44.1-1~deb11u1 2.42.2-1~deb12u1 2.44.1-1~deb12u1 2.44.1-1 |
| debian/wpewebkit | <=2.38.6-1~deb11u1<=2.38.6-1 | 2.44.1-1 |
| Apple macOS Sonoma | <14 | 14 |
| IBM MQ Operator | <=SC2 (formerly LTS): v3.2.0, v3.2.1CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3 LTS: v2.0.0 - 2.0.23 Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2 | |
| IBM supplied MQ Advanced container images | <=CD: 9.4.0.0-r1, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3 Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2 | |
| Apple iPadOS | <17.0.1 | |
| Apple iPhone OS | <17.0.1 | |
| Fedoraproject Fedora | =37 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| Oracle GraalVM | =20.3.13 | |
| Oracle GraalVM | =21.3.9 | |
| Oracle JDK | =1.8.0-update401 | |
| Oracle JRE | =1.8.0-update401 | |
| Netapp Cloud Insights Acquisition Unit | ||
| Netapp Cloud Insights Storage Workload Security Agent | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| Webkitgtk Webkitgtk\+ | <2.42.2 | |
| Apple Multiple Products |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT213931 (Advisory)
- https://support.apple.com/en-us/HT213930 (Advisory)
- https://support.apple.com/en-us/HT213926 (Advisory)
- https://support.apple.com/en-us/HT213927 (Advisory)
- https://support.apple.com/en-us/HT213941 (Advisory)
- http://seclists.org/fulldisclosure/2023/Oct/2
- http://seclists.org/fulldisclosure/2023/Oct/3
- http://seclists.org/fulldisclosure/2023/Oct/4
- http://www.openwall.com/lists/oss-security/2023/09/28/3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EEMDC5TQAANFH5D77QM34ZTUKXPFGVL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ELXBV26Q54BIOVN5LBCJFM2G6VQZ7FO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYRHTFVN6FTXLZ27IPTNRSXKBAR2SOMA/
- https://support.apple.com/en-us/HT213940 (Advisory)
- https://www.debian.org/security/2023/dsa-5527
- https://webkitgtk.org/security/WSA-2023-0009.html
- https://www.openwall.com/lists/oss-security/2023/09/28/3
- https://ubuntu.com/security/notices/USN-6426-1
- https://www.cve.org/CVERecord?id=CVE-2023-41993
- https://nvd.nist.gov/vuln/detail/CVE-2023-41993
- https://launchpad.net/bugs/cve/CVE-2023-41993
- https://security-tracker.debian.org/tracker/CVE-2023-41993
- https://ubuntu.com/security/CVE-2023-41993
- https://security.gentoo.org/glsa/202401-33
- https://security.netapp.com/advisory/ntap-20240426-0004/
- https://support.apple.com/kb/HT213940
- https://exchange.xforce.ibmcloud.com/vulnerabilities/266672
- https://www.ibm.com/support/pages/node/7159714 (Advisory)
- https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-use-ios-chrome-exploits-created-by-spyware-vendors/
- https://www.theregister.com/2024/08/29/commercial_spyware_russia_mongolia/
- https://support.apple.com/en-us/HT213926,
- https://support.apple.com/en-us/HT213927,
- https://support.apple.com/en-us/HT213930;
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-41992
- CVE-2023-41991
- CVE-2023-41993
- CVE-2023-40448
- CVE-2023-38612
- CVE-2023-41232
- CVE-2023-40420
- CVE-2023-40438
- CVE-2023-40395
- CVE-2023-41984
- CVE-2023-41981
- CVE-2023-41073
- CVE-2023-40454
- CVE-2023-40403
- CVE-2023-41068
- CVE-2023-40401
- CVE-2023-41063
- CVE-2023-35990
- CVE-2023-41070
- CVE-2023-40417
- CVE-2023-40385
- CVE-2023-42833
- CVE-2023-40414
- CVE-2023-40451
- CVE-2023-41074
- CVE-2023-35074
- CVE-2023-40384
- CVE-2023-32377
- CVE-2023-38615
- CVE-2023-40432
- CVE-2023-42871
- CVE-2023-40399
- CVE-2023-40410
- CVE-2023-42872
- CVE-2023-42929
- CVE-2023-42925
- CVE-2023-32361
- CVE-2023-35984
- CVE-2023-40402
- CVE-2023-40426
- CVE-2023-42876
- CVE-2023-41065
- CVE-2023-29497
- CVE-2023-38596
- CVE-2023-42943
- CVE-2023-40406
- CVE-2023-40528
- CVE-2023-41994
- CVE-2023-40407
- CVE-2023-32396
- CVE-2023-42933
- CVE-2023-41980
- CVE-2023-40411
- CVE-2023-40391
- CVE-2023-40441
- CVE-2023-42959
- CVE-2023-23495
- CVE-2023-40434
- CVE-2023-38586
- CVE-2023-40436
- CVE-2023-40396
- CVE-2023-41995
- CVE-2023-42870
- CVE-2023-40429
- CVE-2023-41060
- CVE-2023-41067
- CVE-2023-40400
- CVE-2023-40427
- CVE-2023-42957
- CVE-2023-32421
- CVE-2023-42826
- CVE-2023-42918
- CVE-2023-41986
- CVE-2023-40455
- CVE-2023-40386
- CVE-2023-38408
- CVE-2023-40393
- CVE-2023-42949
- CVE-2023-42934
- CVE-2023-37448
- CVE-2023-38607
- CVE-2023-41987
- CVE-2023-40422
- CVE-2023-39233
- CVE-2023-40388
- CVE-2023-40452
- CVE-2023-40430
- CVE-2023-41996
- CVE-2023-41078
- CVE-2023-40541
- CVE-2023-41079
- CVE-2023-40443
- CVE-2023-41968
- CVE-2023-40450
- CVE-2023-42948
- CVE-2023-40424
- CVE-2023-39434
- CVE-2023-32359
- CVE-2023-38610
- CVE-2023-41066
- CVE-2023-41979
Frequently Asked Questions
What is CVE-2023-41993?
CVE-2023-41993 is a vulnerability in WebKit that allows arbitrary code execution.
Which versions of iOS and iPadOS are affected by CVE-2023-41993?
iOS versions up to 16.7 and iPadOS versions up to 16.7 are affected by CVE-2023-41993.
How was CVE-2023-41993 addressed?
CVE-2023-41993 was addressed with improved checks in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, Safari 16.6.1.
Is there a remedy available for macOS Ventura?
No, there is no specific remedy available for macOS Ventura.
Where can I find more information about CVE-2023-41993?
You can find more information about CVE-2023-41993 on the Apple support website.
- collector/apple-support
- agent/type
- agent/first-publish-date
- agent/software-canonical-lookup-request
- agent/author
- agent/remedy
- agent/title
- agent/weakness
- source/Apple
- agent/software-canonical-lookup
- collector/nvd-index
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/severity
- agent/description
- collector/ibm-support
- source/IBM
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2021-1879
- alias/CVE-2023-41993
- alias/CVE-2024-5274
- alias/CVE-2024-4671
- collector/the-register
- source/The Register
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/references
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-cve
- vendor/apple
- canonical/apple macos ventura
- canonical/apple safari
- canonical/apple ios
- canonical/apple ipados
- canonical/apple iphone os
- canonical/apple macos
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39
- package-manager/ubuntu
- package-manager/debian
- canonical/apple macos sonoma
- vendor/ibm
- canonical/ibm mq operator
- version/ibm mq operator/sc2 (formerly lts): v3.2.0, v3.2.1cd: v3.0.0, v3.0.1, v3.1.0 - 3.1.3 lts: v2.0.0 - 2.0.23 other release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2
- canonical/ibm supplied mq advanced container images
- version/ibm supplied mq advanced container images/cd: 9.4.0.0-r1, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2lts: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3 other release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2
- version/fedoraproject fedora/37
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/20.3.13
- version/oracle graalvm/21.3.9
- canonical/oracle jdk
- version/oracle jdk/1.8.0-update401
- canonical/oracle jre
- version/oracle jre/1.8.0-update401
- vendor/netapp
- canonical/netapp cloud insights acquisition unit
- canonical/netapp cloud insights storage workload security agent
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- vendor/webkitgtk
- canonical/webkitgtk webkitgtk\+
- canonical/apple multiple products