Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
TCC Bypass via Downloader XPC Service in Sparkle
Vulnerability Description
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2.7.2
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
Sparkle 安全漏洞
Vulnerability Description
Sparkle是Sparkle Project开源的一个macOS的软件更新框架。 Sparkle 2.7.2之前版本存在安全漏洞,该漏洞源于未验证连接客户端,可能导致复制TCC保护文件到任意位置。
CVSS Information
N/A
Vulnerability Type
N/A