CVE-2024-40791: 
macOS vulnerability analysis and mitigation

CVE-2024-40791 is a privacy vulnerability discovered in Apple's operating systems that was disclosed and patched on September 16, 2024. The vulnerability affects multiple Apple platforms including macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, and macOS Sequoia 15. The issue specifically affects the Mail Accounts component, where an app could potentially access information about a user's contacts (Apple Support, Apple Support).

The vulnerability is classified as a privacy issue that was addressed with improved private data redaction for log entries. The issue allowed applications to potentially access information about a user's contacts through the Mail Accounts component. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access is required and the impact is primarily on confidentiality (NVD).

The primary impact of this vulnerability is on user privacy, as it could allow unauthorized applications to access information about a user's contacts. This represents a potential breach of user data confidentiality, particularly concerning personal contact information stored in the device (Apple Support).

Apple has addressed this vulnerability by implementing improved private data redaction for log entries in the affected operating systems. Users are advised to update to macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, or macOS Sequoia 15, depending on their device (Apple Support, Apple Support).

The vulnerability was discovered and reported by security researcher Rodolphe BRUNETTI (@eisw0lf), who was credited by Apple in their security advisory (Apple Support).