GoogleOSV:GHSA-F9PM-4G9P-6VM3

HistoryOct 06, 2023 - 4:59 p.m.

Bundled libwebp in pywebp vulnerable

Vulners
Osv
Bundled libwebp in pywebp vulnerable

2023-10-0616:59:22

Google

osv.dev

pywebp

libwebp

vulnerability

patched

heap buffer overflow

remote attacker

memory write

upgrade.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.609 Medium

EPSS

Percentile

97.8%

JSON

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2.
pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
https://nvd.nist.gov/vuln/detail/CVE-2023-4863

CPENameOperatorVersion
webpeq0.1.0a13
webpeq0.1.0a16
webpeq0.1.0a9
webpeq0.1.1
webpeq0.1.0a10
webpeq0.1.0a6
webpeq0.1.0a14
webpeq0.1.3
webpeq0.1.0a5
webpeq0.1.0a7

Name	Operator	Version
webp	eq	0.1.0a13
webp	eq	0.1.0a16
webp	eq	0.1.0a9
webp	eq	0.1.1
webp	eq	0.1.0a10
webp	eq	0.1.0a6
webp	eq	0.1.0a14
webp	eq	0.1.3
webp	eq	0.1.0a5
webp	eq	0.1.0a7

Rows per page:

1-10 of 221

References

github.com/anibali/pywebp

github.com/anibali/pywebp/commit/1f938731a158a6584977cec2cce21b21c15f6c4b

github.com/anibali/pywebp/security/advisories/GHSA-f9pm-4g9p-6vm3

debian 6

openvas 43

nessus 69

alpinelinux 1

hivepro 1

github 4

debiancve 1

osv 16

almalinux 3

cloudfoundry 2

ibm 2

amazon 4

wolfi 1

prion 1

paloalto 1

kaspersky 3

mageia 1

cgr 1

oraclelinux 6

githubexploit 5

hp 1

cvelist 1

nvd 1

cve 1

slackware 3

fedora 4

attackerkb 1

freebsd 2

chrome 1

thn 1

ubuntu 2

veracode 2

rocky 1

cnvd 1

ubuntucve 1

mscve 1

redhatcve 1

gitlab 1

redhat 1

ics 1

debian

[SECURITY] [DLA 3569-1] thunderbird security update

2023-09-17 09:42:33

[SECURITY] [DSA 5497-1] libwebp security update

2023-09-13 21:07:56

[SECURITY] [DLA 3570-1] libwebp security update

2023-09-18 12:07:01

openvas

Huawei EulerOS: Security Advisory for libwebp (EulerOS-SA-2024-1429)

2024-03-21 00:00:00

openSUSE: Security Advisory for chromium (openSUSE-SU-2023:0246-1)

2024-03-04 00:00:00

Fedora: Security Advisory for libwebp (FEDORA-2023-3388038193)

2023-09-17 00:00:00

nessus

Microsoft Edge (Chromium) < 109.0.1518.140 Heap Buffer Overflow Vulnerability

2024-05-08 00:00:00

Google Chrome < 116.0.5845.187 Vulnerability

2023-09-11 00:00:00

Mozilla Thunderbird < 102.15.1

2023-09-13 00:00:00

alpinelinux

CVE-2023-4863

2023-09-12 15:15:24

hivepro

Google Addresses Fourth Zero-Day Flaw Exploited by Attackers Wildly

2023-09-12 13:05:09

github

libwebp: OOB write in BuildHuffmanTable

2023-09-12 15:30:20

Vulnerable version of libwebp and can be exploited with a malicious source image

2023-10-06 20:46:33

Imageflow affected by libwebp zero-day and should not be used with malicious source images.

2023-09-27 21:16:16

debiancve

CVE-2023-4863

2023-09-12 15:15:24

osv

thunderbird - security update

2023-09-17 00:00:00

PYSEC-2023-184

2023-09-29 21:31:48

Important: libwebp security update

2023-09-26 13:26:19

almalinux

Important: thunderbird security update

2023-09-19 00:00:00

Important: firefox security update

2023-09-18 00:00:00

Important: libwebp security update

2023-09-20 00:00:00

cloudfoundry

USN-6369-1: libwebp vulnerability | Cloud Foundry

2023-10-12 00:00:00

| Cloud Foundry

2023-10-05 00:00:00

ibm

Security Bulletin: IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron

2023-10-20 09:35:15

Security Bulletin: IBM Cognos Analytics Cartridge for IBM Cloud Pak for Data 4.8.0 has addressed a security vulnerability (CVE-2023-4863)

2023-11-29 22:25:21

amazon

Important: qt5-qtimageformats

2023-11-09 19:19:00

Important: thunderbird

2023-10-12 15:08:00

Important: libwebp12

2023-10-12 15:08:00

wolfi

CVE-2023-4863 vulnerabilities

2024-06-29 09:08:33

prion

Heap overflow

2023-09-12 15:15:00

paloalto

Impact of libwebp Vulnerability CVE-2023-4863

2023-10-02 23:40:00

kaspersky

KLA61312 DoS vulnerability in Opera

2023-09-13 00:00:00

KLA60569 DoS vulnerablity in Microsoft Browser

2023-09-12 00:00:00

KLA60003 DoS vulnerability in Google Chrome

2023-09-11 00:00:00

mageia

Updated libwebp packages fix a security vulnerability

2023-10-03 13:53:29

cgr

CVE-2023-4863 vulnerabilities

2024-05-19 03:07:16

oraclelinux

thunderbird security update

2023-09-19 00:00:00

firefox security update

2023-09-19 00:00:00

libwebp security update

2023-09-20 00:00:00

githubexploit

Exploit for Out-of-bounds Write in Google Chrome

2023-09-21 05:22:51

Exploit for Out-of-bounds Write in Google Chrome

2023-11-11 06:51:03

Exploit for Out-of-bounds Write in Google Chrome

2023-09-25 10:33:09

Certain HP Enterprise LaserJet, HP LaserJet Managed Printers – Potential Buffer Overflow

2024-02-20 00:00:00

cvelist

CVE-2023-4863

2023-09-12 14:24:59

nvd

CVE-2023-4863

2023-09-12 15:15:24

cve

CVE-2023-4863

2023-09-12 15:15:24

slackware

[slackware-security] mozilla-thunderbird

2023-09-14 02:32:34

[slackware-security] seamonkey

2023-09-21 19:43:16

[slackware-security] libwebp

2023-09-14 21:21:47

fedora

[SECURITY] Fedora 39 Update: libwebp-1.3.1-3.fc39

2023-09-15 19:54:26

[SECURITY] Fedora 37 Update: libwebp-1.3.1-3.fc37

2023-09-16 01:41:44

[SECURITY] Fedora 39 Update: firefox-117.0.1-2.fc39

2023-09-17 00:15:26

attackerkb

CVE-2023-4863

2023-09-12 00:00:00

freebsd

graphics/webp heap buffer overflow

2023-09-12 00:00:00

libwebp heap buffer overflow

2023-09-12 00:00:00

chrome

Stable Channel Update for Desktop

2023-09-11 00:00:00

thn

Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird

2023-09-13 01:50:00

ubuntu

Firefox vulnerability

2023-09-14 00:00:00

libwebp vulnerability

2023-09-28 00:00:00

veracode

Heap Buffer Overflow

2023-09-15 13:45:13

Heap Buffer Overflow

2023-09-19 21:25:54

rocky

firefox security update

2023-09-19 12:09:00

cnvd

Google Chrome Buffer Overflow Vulnerability (CNVD-2023-71680)

2023-09-15 00:00:00

ubuntucve

CVE-2023-4863

2023-09-12 00:00:00

mscve

Chromium: CVE-2023-4863 Heap buffer overflow in WebP

2023-09-12 07:00:47

redhatcve

CVE-2023-4863

2023-09-14 14:24:56

gitlab

CefSharp affected by heap buffer overflow in WebP

2023-09-21 00:00:00

redhat

(RHSA-2023:5222) Important: libwebp security update

2023-09-19 07:11:07

ics

Siemens Mendix Studio Pro

2023-11-16 12:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.609 Medium

EPSS

Percentile

97.8%

JSON

Related for OSV:GHSA-F9PM-4G9P-6VM3