CVE-2020-9934

MEDIUM KEV

Apple Ipados < 13.6 - Denial of Service

Title source: rule

Description

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

Exploits (3)

nomisec WORKING POC 23 stars

by mattshockl · local

https://github.com/mattshockl/CVE-2020-9934

View Code ZIP pw:eip

github WORKING POC 4 stars

by X1cT34m · cpoc

https://github.com/X1cT34m/CVE-and-PoC/tree/main/2020/CVE-2020-9934

View Code ZIP pw:eip

metasploit WORKING POC

by mattshockl, timwr · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/escalate/tccbypass.rb

View Code ZIP pw:eip

References (3)

[Release Notes, Vendor Advisory] https://support.apple.com/HT211288

[Release Notes, Vendor Advisory] https://support.apple.com/HT211289

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9934

Scores

CVSS v3 5.5

EPSS 0.0244

EPSS Percentile 85.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CISA KEV 2022-09-08

VulnCheck KEV 2022-07-19

InTheWild.io 2022-07-17

ENISA EUVD EUVD-2020-30713

Status published

Products (3)

apple/ipados < 13.6

apple/iphone_os < 13.6

apple/mac_os_x < 10.15.6

Published Oct 16, 2020

KEV Added Sep 08, 2022

Tracked Since Feb 18, 2026