Lucene search

[email protected]CVE-2020-10018

HistoryMar 02, 2020 - 11:15 p.m.

CVE-2020-10018

2020-03-0223:15:00

CWE-416

[email protected]

web.nvd.nist.gov

236

cve-2020-10018

webkitgtk

wpe webkit

memory corruption

use-after-free

arbitrary code execution

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.014 Low

EPSS

Percentile

86.3%

JSON

WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the versions right before 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. This issue has been fixed in 2.28.0 with improved memory handling.

CPENameOperatorVersion
webkitgtk:webkitgtkwebkitgtklt2.28.0
wpewebkit:wpe_webkitwpewebkit wpe webkitlt2.28.0
fedoraproject:fedorafedoraproject fedoraeq30
fedoraproject:fedorafedoraproject fedoraeq31
debian:debian_linuxdebian debian linuxeq10.0
canonical:ubuntu_linuxcanonical ubuntu linuxeq18.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq19.10
opensuse:leapopensuse leapeq15.1

CPE	Name	Operator	Version
webkitgtk:webkitgtk	webkitgtk	lt	2.28.0
wpewebkit:wpe_webkit	wpewebkit wpe webkit	lt	2.28.0
fedoraproject:fedora	fedoraproject fedora	eq	30
fedoraproject:fedora	fedoraproject fedora	eq	31
debian:debian_linux	debian debian linux	eq	10.0
canonical:ubuntu_linux	canonical ubuntu linux	eq	18.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	19.10
opensuse:leap	opensuse leap	eq	15.1