Lucene search
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-5580.NASLHistoryDec 19, 2023 - 12:00 a.m.
Debian DSA-5580-1 : webkit2gtk - security update
2023-12-1900:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
debian
dsa-5580-1
webkit2gtk
memory handling
vulnerability
safari
macos sonoma
ios
ipados
watchos
tvos
denial-of-service
cve-2023-42883
nessus
scanner
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
5.7 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
27.0%
The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5580 advisory.
- The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image may lead to a denial-of-service. (CVE-2023-42883)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5580. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(187110);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/24");
script_cve_id("CVE-2023-42883");
script_name(english:"Debian DSA-5580-1 : webkit2gtk - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5580
advisory.
- The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma
14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image
may lead to a denial-of-service. (CVE-2023-42883)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/webkit2gtk");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/webkit2gtk");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/webkit2gtk");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5580");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-42883");
script_set_attribute(attribute:"solution", value:
"Upgrade the webkit2gtk packages.
For the stable distribution (bookworm), this problem has been fixed in version 2.42.4-1~deb12u1.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-42883");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
script_set_attribute(attribute:"patch_publication_date", value:"2023/12/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:webkit2gtk-driver");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-4.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-4.1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-6.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gir1.2-webkit-6.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gir1.2-webkit2-4.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gir1.2-webkit2-4.1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.0-18");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.0-bin");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.0-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.1-0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.1-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-6.0-1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-6.0-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.0-37");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.0-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.0-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.1-0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.1-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkitgtk-6.0-4");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebkitgtk-6.0-dev");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+|^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0 / 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'gir1.2-javascriptcoregtk-4.0', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'gir1.2-webkit2-4.0', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'libjavascriptcoregtk-4.0-18', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'libjavascriptcoregtk-4.0-bin', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'libjavascriptcoregtk-4.0-dev', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'libwebkit2gtk-4.0-37', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'libwebkit2gtk-4.0-dev', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'libwebkit2gtk-4.0-doc', 'reference': '2.42.4-1~deb11u1'},
{'release': '11.0', 'prefix': 'webkit2gtk-driver', 'reference': '2.42.4-1~deb11u1'},
{'release': '12.0', 'prefix': 'gir1.2-javascriptcoregtk-4.0', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'gir1.2-javascriptcoregtk-4.1', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'gir1.2-javascriptcoregtk-6.0', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'gir1.2-webkit-6.0', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'gir1.2-webkit2-4.0', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'gir1.2-webkit2-4.1', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-4.0-18', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-4.0-bin', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-4.0-dev', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-4.1-0', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-4.1-dev', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-6.0-1', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libjavascriptcoregtk-6.0-dev', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkit2gtk-4.0-37', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkit2gtk-4.0-dev', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkit2gtk-4.0-doc', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkit2gtk-4.1-0', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkit2gtk-4.1-dev', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkitgtk-6.0-4', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'libwebkitgtk-6.0-dev', 'reference': '2.42.4-1~deb12u1'},
{'release': '12.0', 'prefix': 'webkit2gtk-driver', 'reference': '2.42.4-1~deb12u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gir1.2-javascriptcoregtk-4.0 / gir1.2-javascriptcoregtk-4.1 / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | webkit2gtk-driver | p-cpe:/a:debian:debian_linux:webkit2gtk-driver |
| debian | debian_linux | 11.0 | cpe:/o:debian:debian_linux:11.0 |
| debian | debian_linux | 12.0 | cpe:/o:debian:debian_linux:12.0 |
| debian | debian_linux | gir1.2-javascriptcoregtk-4.0 | p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-4.0 |
| debian | debian_linux | gir1.2-javascriptcoregtk-4.1 | p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-4.1 |
| debian | debian_linux | gir1.2-javascriptcoregtk-6.0 | p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-6.0 |
| debian | debian_linux | libwebkitgtk-6.0-4 | p-cpe:/a:debian:debian_linux:libwebkitgtk-6.0-4 |
| debian | debian_linux | libwebkitgtk-6.0-dev | p-cpe:/a:debian:debian_linux:libwebkitgtk-6.0-dev |
| debian | debian_linux | gir1.2-webkit-6.0 | p-cpe:/a:debian:debian_linux:gir1.2-webkit-6.0 |
| debian | debian_linux | gir1.2-webkit2-4.0 | p-cpe:/a:debian:debian_linux:gir1.2-webkit2-4.0 |
References
Related
openvas
openvas
Ubuntu: Security Advisory (USN-6582-1)
2024-01-16 00:00:00
Debian: Security Advisory (DSA-5580-1)
2023-12-20 00:00:00
Apple Safari Security Update (HT214039)
2023-12-14 00:00:00
cvelist
cvelist
CVE-2023-42883
2023-12-12 00:27:16
cve
cve
CVE-2023-42883
2023-12-12 01:15:11
osv
osv
webkit2gtk - security update
2023-12-18 00:00:00
webkit2gtk vulnerability
2024-01-15 13:52:06
CVE-2023-42883
2023-12-12 01:15:11
nessus
nessus
Ubuntu 22.04 LTS / 23.04 / 23.10 : WebKitGTK vulnerability (USN-6582-1)
2024-01-15 00:00:00
Amazon Linux 2 : webkitgtk4 (ALAS-2024-2425)
2024-01-23 00:00:00
SUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2023:4978-1)
2023-12-28 00:00:00
redhatcve
redhatcve
CVE-2023-42883
2023-12-13 11:30:53
ubuntucve
ubuntucve
CVE-2023-42883
2024-01-03 00:00:00
nvd
nvd
CVE-2023-42883
2023-12-12 01:15:11
debian
debian
[SECURITY] [DSA 5580-1] webkit2gtk security update
2023-12-18 21:43:38
prion
prion
Design/Logic Flaw
2023-12-12 01:15:00
debiancve
debiancve
CVE-2023-42883
2023-12-12 01:15:11
ubuntu
ubuntu
WebKitGTK vulnerability
2024-01-15 00:00:00
amazon
amazon
Important: webkitgtk4
2024-01-19 01:51:00
apple
apple
About the security content of Safari 17.2
2023-12-11 00:00:00
About the security content of iOS 16.7.3 and iPadOS 16.7.3
2023-12-11 00:00:00
About the security content of iOS 16.7.3 and iPadOS 16.7.3
2023-12-11 00:00:00
thn
thn
redhat
redhat
(RHSA-2024:2126) Important: webkit2gtk3 security update
2024-04-30 06:14:49
(RHSA-2024:2982) Important: webkit2gtk3 security update
2024-05-22 06:35:16
oraclelinux
oraclelinux
webkit2gtk3 security update
2024-05-02 00:00:00
webkit2gtk3 security update
2024-05-23 00:00:00
almalinux
almalinux
Important: webkit2gtk3 security update
2024-05-22 00:00:00
Important: webkit2gtk3 security update
2024-04-30 00:00:00
rocky
rocky
webkit2gtk3 security update
2024-06-14 13:59:30
mageia
mageia
Updated webkit2 packages fix security vulnerabilities
2024-04-26 09:47:12
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
5.7 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
27.0%
Related for DEBIAN_DSA-5580.NASL