-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| --- | ||
| layout: post | ||
| title: WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 | ||
| permalink: /security/WSA-2024-0004.html | ||
| tags: WSA | ||
| --- | ||
|
|
||
| * Date Reported: **August 17, 2024** | ||
|
|
||
| * Advisory ID: **WSA-2024-0004** | ||
|
|
||
| * CVE identifiers: [CVE-2024-40776](#CVE-2024-40776), [CVE-2024-40779](#CVE-2024-40779), [CVE-2024-40780](#CVE-2024-40780), [CVE-2024-40782](#CVE-2024-40782), [CVE-2024-40785](#CVE-2024-40785), [CVE-2024-40789](#CVE-2024-40789), [CVE-2024-40794](#CVE-2024-40794), [CVE-2024-4558](#CVE-2024-4558) | ||
|
|
||
|
|
||
| Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. | ||
|
|
||
| * <a name='CVE-2024-40776' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40776'>CVE-2024-40776</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Huang Xilin of Ant Group Light-Year Security Lab. | ||
| * Impact: Processing maliciously crafted web content may lead to an unexpected process | ||
| crash. Description: A use-after-free issue was addressed with improved memory | ||
| management. | ||
| * WebKit Bugzilla: 273176 | ||
|
|
||
| * <a name='CVE-2024-40779' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40779'>CVE-2024-40779</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Huang Xilin of Ant Group Light-Year Security Lab. | ||
| * Impact: Processing maliciously crafted web content may lead to an unexpected process | ||
| crash. Description: An out-of-bounds read was addressed with improved bounds checking. | ||
| * WebKit Bugzilla: 275431 | ||
|
|
||
| * <a name='CVE-2024-40780' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40780'>CVE-2024-40780</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Huang Xilin of Ant Group Light-Year Security Lab. | ||
| * Impact: Processing maliciously crafted web content may lead to an unexpected process | ||
| crash. Description: An out-of-bounds read was addressed with improved bounds checking. | ||
| * WebKit Bugzilla: 275273 | ||
|
|
||
| * <a name='CVE-2024-40782' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40782'>CVE-2024-40782</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Maksymilian Motyl. | ||
| * Impact: Processing maliciously crafted web content may lead to an unexpected process | ||
| crash. Description: A use-after-free issue was addressed with improved memory | ||
| management. | ||
| * WebKit Bugzilla: 268770 | ||
|
|
||
| * <a name='CVE-2024-40785' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40785'>CVE-2024-40785</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Johan Carlsson (joaxcar). | ||
| * Impact: Processing maliciously crafted web content may lead to a cross site scripting | ||
| attack. Description: This issue was addressed with improved checks. | ||
| * WebKit Bugzilla: 273805 | ||
|
|
||
| * <a name='CVE-2024-40789' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40789'>CVE-2024-40789</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Seunghyun Lee (@0x10n) of KAIST Hacking Lab working with Trend Micro Zero Day | ||
| Initiative. | ||
| * Impact: Processing maliciously crafted web content may lead to an unexpected process | ||
| crash. Description: An out-of-bounds access issue was addressed with improved bounds | ||
| checking. | ||
|
|
||
|
|
||
| * <a name='CVE-2024-40794' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40794'>CVE-2024-40794</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to Matthew Butler. | ||
| * Impact: Private Browsing tabs may be accessed without authentication. Description: | ||
| This issue was addressed through improved state management. | ||
| * WebKit Bugzilla: 275272 | ||
|
|
||
| * <a name='CVE-2024-4558' href='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4558'>CVE-2024-4558</a> | ||
| * Versions affected: WebKitGTK and WPE WebKit before 2.44.3. | ||
| * Credit to an anonymous researcher. | ||
| * Impact: Processing maliciously crafted web content may lead to an unexpected process | ||
| crash. Description: Use after free in ANGLE allowed a remote attacker to potentially | ||
| exploit heap corruption via a crafted HTML page. | ||
| * WebKit Bugzilla: 274165 | ||
|
|
||
| We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the | ||
| best way to ensure that you are running safe versions of WebKit. Please check our websites | ||
| for information about the latest stable releases. | ||
|
|
||
| Further information about WebKitGTK and WPE WebKit security advisories can be found at: | ||
| [webkitgtk.org/security.html](https://webkitgtk.org/security.html) or | ||
| [wpewebkit.org/security](https://wpewebkit.org/security). |