10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.593 Medium
EPSS
Percentile
97.7%
Severity: Critical
Date : 2020-07-14
CVE-ID : CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806
CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-13753
Package : webkit2gtk
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1203
The package webkit2gtk before version 2.28.3-1 is vulnerable to
multiple issues including arbitrary code execution, cross-site
scripting and sandbox escape.
Upgrade to 2.28.3-1.
The problems have been fixed upstream in version 2.28.3.
None.
A memory corruption issue has been found in WebKitGTK before 2.28.3 and
WPE WebKit before 2.2.8.3, where processing maliciously crafted web
content may lead to arbitrary code execution.
A memory corruption issue has been found in WebKitGTK before 2.28.3 and
WPE WebKit before 2.2.8.3, where processing maliciously crafted web
content may lead to arbitrary code execution.
A logic issue has been found in WebKitGTK before 2.28.3 and WPE WebKit
before 2.2.8.3, where processing maliciously crafted web content may
lead to universal cross site scripting.
A memory corruption issue has been found in WebKitGTK before 2.28.3 and
WPE WebKit before 2.2.8.3, where processing maliciously crafted web
content may lead to arbitrary code execution.
A memory corruption issue has been found in WebKitGTK before 2.28.3 and
WPE WebKit before 2.2.8.3, where processing maliciously crafted web
content may lead to arbitrary code execution.
An issue has been found in WebKitGTK before 2.28.3 and WPE WebKit
before 2.2.8.3, where processing maliciously crafted web content may
lead to a cross site scripting attack.
A logic issue has been found in WebKitGTK before 2.28.3 and WPE WebKit
before 2.2.8.3, allowing a remote attacker to execute arbitrary code.
The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3,
failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl.
CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal,
which allows access outside the sandbox. TIOCSTI can be used to
directly execute commands outside the sandbox by writing to the
controlling terminalβs input buffer, similar to CVE-2017-5226.
A remote attacker might be able to trigger cross-site scripting, bypass
the sandbox and execute arbitrary code on the affected host.
https://webkitgtk.org/security/WSA-2020-0006.html
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9802
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9803
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9805
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9806
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9807
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9843
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9850
https://webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-13753
https://security.archlinux.org/CVE-2020-9802
https://security.archlinux.org/CVE-2020-9803
https://security.archlinux.org/CVE-2020-9805
https://security.archlinux.org/CVE-2020-9806
https://security.archlinux.org/CVE-2020-9807
https://security.archlinux.org/CVE-2020-9843
https://security.archlinux.org/CVE-2020-9850
https://security.archlinux.org/CVE-2020-13753
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | webkit2gtk | <Β 2.28.3-1 | UNKNOWN |
security.archlinux.org/AVG-1203
security.archlinux.org/CVE-2020-13753
security.archlinux.org/CVE-2020-9802
security.archlinux.org/CVE-2020-9803
security.archlinux.org/CVE-2020-9805
security.archlinux.org/CVE-2020-9806
security.archlinux.org/CVE-2020-9807
security.archlinux.org/CVE-2020-9843
security.archlinux.org/CVE-2020-9850
webkitgtk.org/security/WSA-2020-0006.html
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-13753
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9802
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9803
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9805
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9806
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9807
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9843
webkitgtk.org/security/WSA-2020-0006.html#CVE-2020-9850
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.593 Medium
EPSS
Percentile
97.7%