WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002
-
Date Reported: March 26, 2024
-
Advisory ID: WSA-2024-0002
-
CVE identifiers: CVE-2024-23252, CVE-2024-23254, CVE-2024-23263, CVE-2024-23280, CVE-2024-23284, CVE-2023-42950, CVE-2023-42956, CVE-2023-42843.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
- CVE-2024-23252
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to anbu1024 of SecANT.
- Impact: Processing web content may lead to a denial-of-service. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 263758
- CVE-2024-23254
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to James Lee (@Windowsrcer).
- Impact: A malicious website may exfiltrate audio data cross-origin. Description: The issue was addressed with improved UI handling.
- WebKit Bugzilla: 263795
- CVE-2024-23263
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to Johan Carlsson (joaxcar).
- Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved validation.
- WebKit Bugzilla: 264811
- CVE-2024-23280
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to An anonymous researcher.
- Impact: A maliciously crafted webpage may be able to fingerprint the user. Description: An injection issue was addressed with improved validation.
- WebKit Bugzilla: 266703
- CVE-2024-23284
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to Georg Felber and Marco Squarcina.
- Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved state management.
- WebKit Bugzilla: 267241
- CVE-2023-42950
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute and rushikesh nandedkar.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
- WebKit Bugzilla: 263682
- CVE-2023-42956
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to SungKwon Lee (Demon.Team).
- Impact: Processing web content may lead to a denial-of-service. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 263989
- CVE-2023-42843
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to Kacper Kwapisz (@KKKas_).
- Impact: Visiting a malicious website may lead to address bar spoofing. Description: An inconsistent user interface issue was addressed with improved state management.
- WebKit Bugzilla: 260046
We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.
Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.