A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5, macOS Monterey 12.3. A local user may be able to write arbitrary files.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mac_os_x | Apple | 10.15.7 (including) | 10.15.7 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2020 (including) | 10.15.7-security_update_2020 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2020-001 (including) | 10.15.7-security_update_2020-001 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2020-005 (including) | 10.15.7-security_update_2020-005 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2020-007 (including) | 10.15.7-security_update_2020-007 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2021-001 (including) | 10.15.7-security_update_2021-001 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2021-002 (including) | 10.15.7-security_update_2021-002 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2021-003 (including) | 10.15.7-security_update_2021-003 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2021-006 (including) | 10.15.7-security_update_2021-006 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2021-007 (including) | 10.15.7-security_update_2021-007 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2021-008 (including) | 10.15.7-security_update_2021-008 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2022-001 (including) | 10.15.7-security_update_2022-001 (including) |
| Mac_os_x | Apple | 10.15.7-security_update_2022-002 (including) | 10.15.7-security_update_2022-002 (including) |
| Macos | Apple | 11.0 (including) | 11.6.5 (excluding) |
| Macos | Apple | 12.0.0 (including) | 12.3 (excluding) |