CVE-2024-23745

moderate-risk
Published 2024-01-31

In Notion Web Clipper 1.0.3(7), a .nib file is susceptible to the Dirty NIB attack. NIB files can be manipulated to execute arbitrary commands. Additionally, even if a NIB file is modified within an application, Gatekeeper may still permit the execution of the application, enabling the execution of arbitrary commands within the application's context. NOTE: the vendor's perspective is that this is simply an instance of CVE-2022-48505, cannot properly be categorized as a product-level vulnerability, and cannot have a product-level fix because it is about incorrect caching of file signatures on macOS.

Do I need to act?

~
3.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Web Clipper

Affected Vendors

Notion

References (6)

https://blog.xpnsec.com/dirtynib/
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why...
Exploit https://github.com/louiselalanne/CVE-2024-23745
https://blog.xpnsec.com/dirtynib/
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why...
Exploit https://github.com/louiselalanne/CVE-2024-23745
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal