8.8

CVE-2023-5217

Warnung
Exploit
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WebmprojectLibvpx Version < 1.13.1
MicrosoftEdge Version116.0.1938.98
MicrosoftEdge Version117.0.2045.47
MicrosoftEdge Chromium Version116.0.5845.229
MicrosoftEdge Chromium Version117.0.5938.132
MozillaFirefox SwEditionesr Version < 115.3.1
MozillaFirefox SwEdition- Version < 118.0.1
MozillaFirefox SwPlatformandroid Version < 118.1
MozillaThunderbird Version < 115.3.1
FedoraprojectFedora Version37
FedoraprojectFedora Version38
FedoraprojectFedora Version39
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
DebianDebian Linux Version12.0
AppleiPadOS Version >= 17.0 < 17.0.3
AppleiPadOS Version16.7
AppleiPhone OS Version >= 17.0 < 17.0.3
AppleiPhone OS Version16.7
GoogleChrome Version < 117.0.5938.132
RedhatEnterprise Linux Version9.0

02.10.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Google Chromium libvpx Heap Buffer Overflow Vulnerability

Schwachstelle

Google Chromium libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using libvpx, including but not limited to Google Chrome.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 49.01% 0.987
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://security.gentoo.org/glsa/202401-34
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/
Mailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/
Mailing List
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/
Mailing List
https://www.debian.org/security/2023/dsa-5508
Mailing List
http://seclists.org/fulldisclosure/2023/Oct/12
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2023/Oct/16
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/28/5
Patch
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/28/6
Patch
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/1
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/11
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/12
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/14
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/2
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/7
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/29/9
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/30/1
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/30/2
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/30/3
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/30/4
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/30/5
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/10/01/1
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/10/01/2
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/10/01/5
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/10/02/6
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2023/10/03/11
Third Party Advisory
Mailing List
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2241191
Third Party Advisory
Issue Tracking
https://crbug.com/1486441
Exploit
Issue Tracking
https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
Patch
https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
Patch
https://github.com/webmproject/libvpx/releases/tag/v1.13.1
Release Notes
https://github.com/webmproject/libvpx/tags
Product
https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html
Mailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/
Mailing List
https://pastebin.com/TdkC4pDv
Not Applicable
https://security-tracker.debian.org/tracker/CVE-2023-5217
Third Party Advisory
https://security.gentoo.org/glsa/202310-04
Third Party Advisory
https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/
Third Party Advisory
https://support.apple.com/kb/HT213961
Third Party Advisory
https://support.apple.com/kb/HT213972
Third Party Advisory
https://twitter.com/maddiestone/status/1707163313711497266
Third Party Advisory
https://www.debian.org/security/2023/dsa-5509
Mailing List
https://www.debian.org/security/2023/dsa-5510
Mailing List
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/09/28/5
Third Party Advisory
Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5217
US Government Resource