PatchSiren cyber security CVE debrief

CVE-2017-2372 Apple CVE debrief

CVE-2017-2372 is a High-severity Apple memory corruption issue affecting GarageBand and Logic Pro X when processing crafted GarageBand project files. The record says a remote attacker could trigger arbitrary code execution or denial of service, and the CVSS vector requires user interaction to open the malicious file.

Vendor: Apple
Product: CVE-2017-2372
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-20
Original CVE updated: 2026-05-13
Advisory published: 2017-02-20
Advisory updated: 2026-05-13

Who should care

Mac administrators, endpoint security teams, and users who still run older GarageBand or Logic Pro X builds should pay attention, especially where project files are exchanged from external or untrusted sources.

Technical summary

The vulnerability is described as a memory corruption flaw in the "Projects" component. NVD assigns CWE-119 and CVSS 3.0 8.8 with AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a network-reachable attack path that depends on a user opening a crafted GarageBand project file. The supplied record describes GarageBand before 10.1.5 and Logic Pro X before 10.3 as affected, while the NVD CPE criteria enumerate GarageBand 10.1.4 and earlier and Logic Pro X 10.2.4 and earlier.

Defensive priority

High for any environment that still has affected versions installed or routinely opens externally supplied project files. If systems are fully updated, the priority drops, but inventory and verification are still important because the vulnerable behavior is file-triggered.

Recommended defensive actions

Update GarageBand to a fixed version at or above the version published by Apple in the linked advisory and confirm no systems remain on the affected release line.
Update Logic Pro X to a fixed version at or above the version published by Apple in the linked advisory and verify deployment across the fleet.
Inventory Macs for installed GarageBand and Logic Pro X versions, with special attention to shared workstations and creative-production systems.
Treat unsolicited or unexpected GarageBand project files as untrusted and confirm the sender and provenance before opening them.
Review the Apple advisories and related references to ensure the remediation applied matches the product/version in use.

Evidence notes

CVE published 2017-02-20 and the source record was modified 2026-05-13. The supplied description states GarageBand before 10.1.5 and Logic Pro X before 10.3 are affected, while the NVD CPE criteria list GarageBand <=10.1.4 and Logic Pro X <=10.2.4. The record also lists CWE-119 and CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Reference links include Apple advisories HT207476 and HT207477 plus third-party references cited by Apple.

Official resources

CVE-2017-2372 CVE record
CVE.org
CVE-2017-2372 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the CVE record on 2017-02-20. The supplied NVD source record shows a later metadata modification on 2026-05-13.