| Summary: |
VUL-0: CVE-2023-38597: webkitgtk: processing web content may lead to arbitrary code execution |
| Product: |
[Novell Products] SUSE Security Incidents
|
Reporter: |
Stoyan Manolov <stoyan.manolov> |
| Component: |
Incidents | Assignee: |
Dirk Mueller <dmueller> |
| Status: |
RESOLVED
INVALID
|
QA Contact: |
Security Team bot <security-team> |
| Severity: |
Major
|
|
|
| Priority: |
P3 - Medium
|
CC: |
brahmajit.das, dmueller, security-team, stoyan.manolov
|
| Version: |
unspecified | |
|
| Target Milestone: |
--- | |
|
| Hardware: |
Other | |
|
| OS: |
Other | |
|
| URL: |
https://smash.suse.de/issue/373537/
|
| Whiteboard: |
CVSSv3.1:SUSE:CVE-2023-38597:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
|
Found By:
|
Security Response Team
|
Services Priority:
|
|
|---|
|
Business Priority:
|
|
Blocker:
|
---
|
|---|
|
Marketing QA Status:
|
---
|
IT Deployment:
|
---
|
|---|
CVE-2023-38597 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2023-38133 YeongHyeon Choi discovered that processing web content may disclose sensitive information. CVE-2023-38572 Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy. CVE-2023-38592 Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution. CVE-2023-38594 Yuhao Hu discovered that processing web content may lead to arbitrary code execution. CVE-2023-38595 An anonymous researcher, Jiming Wang, and Jikai Ren discovered that processing web content may lead to arbitrary code execution. CVE-2023-38597 Junsung Lee discovered that processing web content may lead to arbitrary code execution. CVE-2023-38599 Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, and Yuval Yarom discovered that a website may be able to track sensitive user information. CVE-2023-38600 An anonymous researcher discovered that processing web content may lead to arbitrary code execution. CVE-2023-38611 Francisco Alonso discovered that processing web content may lead to arbitrary code execution. For the oldstable distribution (bullseye), these problems have been fixed in version 2.40.5-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.40.5-1~deb12u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: \ https://security-tracker.debian.org/tracker/webkit2gtk References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38597 https://bugzilla.redhat.com/show_bug.cgi?id=2231043 https://www.cve.org/CVERecord?id=CVE-2023-38597 https://security-tracker.debian.org/tracker/DSA-5468-1 http://www.openwall.com/lists/oss-security/2023/08/02/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJ4DG5LHWG2INDOTPB7MO4JVJN6LKL3M/ https://support.apple.com/en-us/HT213841 https://support.apple.com/en-us/HT213842 https://support.apple.com/en-us/HT213843 https://support.apple.com/en-us/HT213847 https://www.debian.org/security/2023/dsa-5468