WebKitGTK and WPE WebKit Security Advisory WSA-2020-0002
-
Date Reported: February 14, 2020
-
Advisory ID: WSA-2020-0002
-
CVE identifiers: CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
- CVE-2020-3862
- Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4.
- Credit to Srikanth Gatta of Google Chrome.
- Impact: A malicious website may be able to cause a denial of service. Description: A denial of service issue was addressed with improved memory handling.
- CVE-2020-3864
- Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4.
- Credit to Ryan Pickren (ryanpickren.com).
- Impact: A DOM object context may not have had a unique security origin. Description: A logic issue was addressed with improved validation.
- CVE-2020-3865
- Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4.
- Credit to Ryan Pickren (ryanpickren.com).
- Impact: A top-level DOM object context may have incorrectly been considered secure. Description: A logic issue was addressed with improved validation.
- CVE-2020-3867
- Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4.
- Credit to an anonymous researcher.
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
- CVE-2020-3868
- Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4.
- Credit to Marcin Towalski of Cisco Talos.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.
Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.