Lucene search

K
githubGitHub Advisory DatabaseGHSA-J646-GJ5P-P45G
HistorySep 21, 2023 - 5:11 p.m.

CefSharp affected by heap buffer overflow in WebP

2023-09-2117:11:42
GitHub Advisory Database
github.com
21
cefsharp
heap buffer overflow
webp
cve-2023-4863
cve-2023-5217
google chrome
critical
vulnerability
webcodecs api
encoder

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.609

Percentile

97.8%

Google is aware that an exploit for CVE-2023-4863 exists in the wild.

Description

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

References


Updated

There is another related security vulnerability.

> There’s another related CVE (CVE-2023-5217) that is fixed in Chromium 117.0.5938.132. This one is triggered by WebCodecs API encoder usage, so a workaround for older versions is to disable the WebCodecs API (--disable-blink-features=WebCodecs).

As per https://magpcss.org/ceforum/viewtopic.php?f=6&t=19551#p54150

Affected configurations

Vulners
Node
cefsharp.common.netcoreRange<116.0.230
OR
cefsharp.commonRange<116.0.230

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.609

Percentile

97.8%