WebKitGTK and WPE WebKit Security Advisory WSA-2020-0007
-
Date Reported: July 29, 2020
-
Advisory ID: WSA-2020-0007
-
CVE identifiers: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
- CVE-2020-9862
- Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.
- Credit to Ophir Lojkine (@lovasoa).
- Impact: Copying a URL from Web Inspector may lead to command injection. Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
- CVE-2020-9893
- Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.
- Credit to 0011 working with Trend Micro Zero Day Initiative.
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution. Description: An use-after-free issue was addressed with improved memory management.
- CVE-2020-9894
- Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.
- Credit to 0011 working with Trend Micro Zero Day Initiative.
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution. Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2020-9895
- Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.
- Credit to Wen Xu of SSLab, Georgia Tech.
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution. Description: An use-after-free issue was addressed with improved memory management.
- CVE-2020-9915
- Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.
- Credit to Ayoub AIT ELMOKHTAR of Noon.
- Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
- CVE-2020-9925
- Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.
- Credit to an anonymous researcher.
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.
Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.