8.8

CVE-2023-4863

Warnung

Exploit

EPSS 93.95%
Veröffentlicht 12.09.2023 15:15:24
Zuletzt bearbeitet 13.03.2025 16:17:15
Quelle chrome-cve-admin@google.com
Teams Watchlist Login
Unerledigt Login

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 49

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Chrome Version < 116.0.5845.187

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Debian ≫ Debian Linux Version12.0

Mozilla ≫ Firefox SwEditionesr Version < 102.15.1

Mozilla ≫ Firefox SwEdition- Version < 117.0.1

Mozilla ≫ Firefox SwEditionesr Version >= 115.1.0 < 115.2.1

Mozilla ≫ Thunderbird Version < 102.15.1

Mozilla ≫ Thunderbird Version >= 115.0 < 115.2.2

Microsoft ≫ Edge Chromium Version < 116.0.1938.81

Microsoft ≫ Teams SwPlatformmacos Version < 1.6.00.26463

Microsoft ≫ Teams SwEditiondesktop Version < 1.6.00.26474

Microsoft ≫ Webp Image Extension Version < 1.0.62681.0

Webmproject ≫ Libwebp Version < 1.3.2

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvmware_vsphere

Bentley ≫ Seequent Leapfrog Version < 2023.2

Bandisoft ≫ Honeyview Version < 5.51

13.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Google Chromium WebP Heap-Based Buffer Overflow Vulnerability

Schwachstelle

Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.95%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

http://www.openwall.com/lists/oss-security/2023/09/28/2

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/28/4

Mailing List

https://security.gentoo.org/glsa/202401-10

Third Party Advisory

https://security.gentoo.org/glsa/202309-05

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/21/4

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/1

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/3

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/4

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/5

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/6

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/7

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/22/8

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/26/1

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/26/7

Mailing List

http://www.openwall.com/lists/oss-security/2023/09/28/1

Mailing List

https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/

Third Party Advisory

https://blog.isosceles.com/the-webp-0day/

Third Party Advisory

Exploit

https://bugzilla.suse.com/show_bug.cgi?id=1215231

Third Party Advisory

Issue Tracking

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

Vendor Advisory

https://crbug.com/1479274

Vendor Advisory

Issue Tracking

https://en.bandisoft.com/honeyview/history/

Release Notes

https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a

Patch

https://github.com/webmproject/libwebp/releases/tag/v1.3.2

Release Notes

https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html

Third Party Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html

Third Party Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/

Mailing List

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863

Patch

Third Party Advisory

https://news.ycombinator.com/item?id=37478403

Third Party Advisory

Exploit

https://security-tracker.debian.org/tracker/CVE-2023-4863

Third Party Advisory

Issue Tracking

https://security.netapp.com/advisory/ntap-20230929-0011/

Third Party Advisory

https://sethmlarson.dev/security-developer-in-residence-weekly-report-16

Exploit

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

Third Party Advisory

Exploit

https://www.bentley.com/advisories/be-2023-0001/

Third Party Advisory

https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/

Third Party Advisory

https://www.debian.org/security/2023/dsa-5496

Mailing List

https://www.debian.org/security/2023/dsa-5497

Mailing List

https://www.debian.org/security/2023/dsa-5498

Third Party Advisory

Mailing List

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Third Party Advisory

https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-4863

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-4863

EUVD