Lucene search

K
debianDebianDEBIAN:DSA-4877-1:61845
HistoryMar 27, 2021 - 6:41 a.m.

[SECURITY] [DSA 4877-1] webkit2gtk security update

2021-03-2706:41:31
lists.debian.org
99
debian
security advisory
webkit2gtk
update
cve-2020-27918
cve-2020-29623
cve-2021-1765
cve-2021-1789
cve-2021-1799
cve-2021-1801
cve-2021-1870
arbitrary code execution
browsing history
iframe sandboxing policy
restricted ports
security tracker

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

Low

EPSS

0.017

Percentile

88.2%


Debian Security Advisory DSA-4877-1 [email protected]
https://www.debian.org/security/ Alberto Garcia
March 27, 2021 https://www.debian.org/security/faq


Package : webkit2gtk
CVE ID : CVE-2020-27918 CVE-2020-29623 CVE-2021-1765 CVE-2021-1789
CVE-2021-1799 CVE-2021-1801 CVE-2021-1870

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-27918

Liu Long discovered that processing maliciously crafted web
content may lead to arbitrary code execution.

CVE-2020-29623

Simon Hunt discovered that users may be unable to fully delete
their browsing history under some circumstances.

CVE-2021-1765

Eliya Stein discovered that maliciously crafted web content may
violate iframe sandboxing policy.

CVE-2021-1789

@S0rryMybad discovered that processing maliciously crafted web
content may lead to arbitrary code execution.

CVE-2021-1799

Gregory Vishnepolsky, Ben Seri and Samy Kamkar discovered that a
malicious website may be able to access restricted ports on
arbitrary servers.

CVE-2021-1801

Eliya Stein discovered that processing maliciously crafted web
content may lead to arbitrary code execution.

CVE-2021-1870

An anonymous researcher discovered that processing maliciously
crafted web content may lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in
version 2.30.6-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

Low

EPSS

0.017

Percentile

88.2%