Lucene search

K
redhatRedHatRHSA-2023:7055
HistoryNov 14, 2023 - 8:44 a.m.

(RHSA-2023:7055) Important: webkit2gtk3 security and bug fix update

2023-11-1408:44:13
CWE-96
access.redhat.com
38
webkitgtk
web rendering engine
gtk platform
arbitrary code execution
same origin policy bypass
memory corruption issue
sensitive user information
use after free vulnerability
content security policy blacklist failure
disclose sensitive information
javascript execution
red hat enterprise linux 8.9

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.005

Percentile

77.8%

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

  • webkitgtk: arbitrary code execution (CVE-2023-32393)

  • webkitgtk: bypass Same Origin Policy (CVE-2023-38572)

  • webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-38592)

  • webkitgtk: arbitrary code execution (CVE-2023-38594)

  • webkitgtk: arbitrary code execution (CVE-2023-38595)

  • webkitgtk: arbitrary code execution (CVE-2023-38597)

  • webkitgtk: arbitrary code execution (CVE-2023-38600)

  • webkitgtk: arbitrary code execution (CVE-2023-38611)

  • webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)

  • webkitgtk: Same Origin Policy bypass via crafted web content (CVE-2023-27932)

  • webkitgtk: Website may be able to track sensitive user information (CVE-2023-27954)

  • webkitgtk: use after free vulnerability (CVE-2023-28198)

  • webkitgtk: content security policy blacklist failure (CVE-2023-32370)

  • webkitgtk: disclose sensitive information (CVE-2023-38133)

  • webkitgtk: track sensitive user information (CVE-2023-38599)

  • webkitgtk: processing web content may lead to arbitrary code execution (CVE-2023-39434)

  • webkitgtk: arbitrary javascript code execution (CVE-2023-40397)

  • webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code (CVE-2023-40451)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.

Affected configurations

Vulners
Node
redhatwebkit2gtk3Range2.40.5-1.el8
OR
redhatwebkit2gtk3Range2.40.5-1.el9
OR
redhatwebkit2gtk3Range2.38.5-1.el8_8.5
OR
redhatwebkit2gtk3-0Range2.46.3-1.el8_2
OR
redhatwebkit2gtk3-0Range2.46.3-1.el8_4
OR
redhatwebkit2gtk3-0Range2.46.3-1.el8_6
OR
redhatwebkit2gtk3-0Range2.46.3-1.el8_8
OR
redhatwebkit2gtk3Range2.38.5-1.el9_2.3
OR
redhatwebkit2gtk3-0Range2.46.1-1.el9_0
OR
redhatwebkit2gtk3-0Range2.46.1-1.el9_2
AND
redhatenterprise_linuxMatch8
OR
redhatenterprise_linuxMatch9
VendorProductVersionCPE
redhatwebkit2gtk3*cpe:2.3:a:redhat:webkit2gtk3:*:*:*:*:*:*:*:*
redhatwebkit2gtk3-0*cpe:2.3:a:redhat:webkit2gtk3-0:*:*:*:*:*:*:*:*
redhatenterprise_linux8cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
redhatenterprise_linux9cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.005

Percentile

77.8%