CVE-2020-3841: 
Apple Safari vulnerability analysis and mitigation

CVE-2020-3841 is a security vulnerability discovered in Apple's Safari Login AutoFill feature that was disclosed and patched in January 2020. The vulnerability affected multiple Apple products including Safari 13.0.5, iOS 13.3.1, and iPadOS 13.3.1. The issue was discovered by Sebastian Bicchi (@secresDoge) from Sec-Research and could allow a local user to unknowingly transmit passwords in an unencrypted format over the network (Apple Support, NVD).

The vulnerability was caused by improper UI handling in Safari's Login AutoFill feature. It received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability was classified under CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials) (NVD).

The primary impact of this vulnerability was that a local user could unknowingly send passwords unencrypted over the network, potentially exposing sensitive authentication credentials to network observers. This could lead to unauthorized access to user accounts if the credentials were intercepted (Apple Support, NVD).

Apple addressed this vulnerability by improving UI handling in the affected products. The fix was released in Safari 13.0.5, iOS 13.3.1, and iPadOS 13.3.1 on January 28, 2020. Users were advised to update to these versions to protect against the vulnerability (Apple Support).