Wish Wu

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 15 iPadOS versions prior to 15 **Description** The issue allows a 3D model constructed to look like the enrolled user to authenticate via Face ID. This is due to inadequate anti-spoofing models. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For iOS versions prior to 15, update to iOS 15 or later to resolve the issue. For iPadOS versions prior to 15, update to iPadOS 15 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 14.5 iPadOS versions prior to 14.5 macOS Big Sur versions prior to 11.3 Description: The issue involves an out-of-bounds read that has been addressed through improved input validation. A malicious application may be able to execute arbitrary code with kernel privileges. Recommendations: For iOS versions prior to 14.5, update to iOS 14.5 or later. For iPadOS versions prior to 14.5, update to iPadOS 14.5 or later. For macOS Big Sur versions prior to 11.3, update to macOS Big Sur 11.3 or later.

**Name of the Vulnerable Software and Affected Versions** HUAWEI Mate 30 Pro versions earlier than 10.1.0.150(C00E136R5P3) **Description** The device has an improper authentication issue where it does not sufficiently validate certain credentials of a user's face. An attacker could craft the credential of the user, and a successful exploit could allow the attacker to pass the authentication with the crafted credential. **Recommendations** For versions earlier than 10.1.0.150(C00E136R5P3), update to version 10.1.0.150(C00E136R5P3) or later to resolve the issue. As a temporary workaround, consider disabling face authentication until a patch is available. Restrict access to sensitive features that rely on face authentication to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13 **Description** The issue allowed a 3D model constructed to look like the enrolled user to authenticate via Face ID. This was addressed by improving Face ID machine learning models. **Recommendations** For iOS versions prior to 13, update to iOS 13 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** libgdx version 7.1.1 **Description** A remote code execution issue in libgdx could allow an attacker to execute arbitrary code in the context of an unprivileged process by using a specially crafted file. This issue is considered High due to the possibility of remote code execution in an application that uses this library. **Recommendations** For libgdx version 7.1.1, update to a newer version that contains a fix for this issue to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-11-01 Android versions 7.0 before 2016-11-01 **Description** An elevation of privilege issue in Mediaserver could allow a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-11-01, apply the November 2016 security patch or later. For Android versions 7.0 before 2016-11-01, apply the November 2016 security patch or later.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-10-01 Android versions 7.0 before 2016-10-01 **Description** The issue allows attackers to obtain sensitive information via a crafted application due to the lack of validation of EFFECT CMD SET PARAM and EFFECT CMD SET PARAM DEFERRED commands in the mediaserver. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-10-01, apply the October 2016 security patch or later. For Android versions 7.0 before 2016-10-01, apply the October 2016 security patch or later.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-10-01 Android versions 7.0 before 2016-10-01 **Description** The issue allows attackers to gain privileges via a crafted application. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-10-01, update to a version released on or after 2016-10-01. For Android versions 7.0 before 2016-10-01, update to a version released on or after 2016-10-01.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-04-01 **Description** The issue is related to insufficient access control in the Qualcomm ARM component of the Android operating system. It can be exploited by a local attacker using a specially crafted application to gain elevated privileges. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-04-01, update to a version released on or after 2016-04-01.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.x through 5.1.0 Android versions 6.x before 2016-03-01 **Description** The issue is related to a component of the Qualcomm performance in Android, which has inadequate access control. This allows attackers to gain privileges via a crafted application. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.x through 5.1.0, update to version 5.1.1 LMY49H or later. For Android versions 6.x before 2016-03-01, update to a version released on or after 2016-03-01.