Released September 24, 2019

iOS 13.1 and iPadOS 13.1 include the security content of iOS 13.

AppleFirmwareUpdateKext

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8747: Mohamed Ghannam (@_simo36)

Entry added October 29, 2019

Audio

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab

Entry added October 29, 2019

Audio

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted audio file may disclose restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8850: Anonymous working with Trend Micro Zero Day Initiative

Entry added December 18, 2019

Books

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service

Description: A resource exhaustion issue was addressed with improved input validation.

CVE-2019-8774: Gertjan Franken imec-DistriNet of KU Leuven

Entry added October 29, 2019

Kernel

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8740: Mohamed Ghannam (@_simo36)

Entry added October 29, 2019

Kernel

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local app may be able to read a persistent account identifier

Description: A validation issue was addressed with improved logic.

CVE-2019-8809: Apple

Entry added October 29, 2019

Kernel

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to determine kernel memory layout

Description: The issue was addressed with improved permissions logic.

CVE-2019-8780: Siguza

Entry added October 8, 2019

libxslt

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Multiple issues in libxslt

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8750: found by OSS-Fuzz

Entry added October 29, 2019

mDNSResponder

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications

Description: This issue was resolved by replacing device names with a random identifier.

CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added October 29, 2019

Shortcuts

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in a privileged network position may be able to intercept SSH traffic from the “Run script over SSH” action

Description: This issue was addressed by verifying host keys when connecting to a previously-known SSH server.

CVE-2019-8901: an anonymous researcher

Entry added February 11, 2020

UIFoundation

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 18, 2019

VoiceOver

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen

Description: The issue was addressed by restricting options offered on a locked device.

CVE-2019-8775: videosdebarraquito

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Visiting a maliciously crafted website may reveal browsing history

Description: An issue existed in the drawing of web page elements. The issue was addressed with improved logic.

CVE-2019-8769: Piérre Reimertz (@reimertz)

Entry added October 8, 2019

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8710: found by OSS-Fuzz

CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group

CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8763: Sergei Glazunov of Google Project Zero

CVE-2019-8765: Samuel Groß of Google Project Zero

CVE-2019-8766: found by OSS-Fuzz

CVE-2019-8773: found by OSS-Fuzz

Entry added October 8, 2019, updated October 29, 2019

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A validation issue was addressed with improved logic.

CVE-2019-8762: Sergei Glazunov of Google Project Zero

Entry added November 18, 2019

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9932: Dongzhuo Zhao working with ADLab of Venustech

Entry added July 28, 2020