SUSE update for webkit2gtk3
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 43 |
| CVE-ID | CVE-2019-8766 CVE-2019-8782 CVE-2019-8808 CVE-2019-8815 CVE-2020-13753 CVE-2020-27918 CVE-2020-29623 CVE-2020-3902 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9947 CVE-2020-9948 CVE-2020-9951 CVE-2020-9952 CVE-2021-1765 CVE-2021-1788 CVE-2021-1817 CVE-2021-1820 CVE-2021-1825 CVE-2021-1826 CVE-2021-1844 CVE-2021-1871 CVE-2021-30661 CVE-2021-30666 CVE-2021-30682 CVE-2021-30761 CVE-2021-30762 CVE-2021-30809 CVE-2021-30818 CVE-2021-30823 CVE-2021-30836 CVE-2021-30846 CVE-2021-30848 CVE-2021-30849 CVE-2021-30851 CVE-2021-30858 CVE-2021-30884 CVE-2021-30887 CVE-2021-30888 CVE-2021-30889 CVE-2021-30890 CVE-2021-30897 |
| CWE-ID | CWE-119 CWE-20 CWE-416 CWE-459 CWE-79 CWE-843 CWE-264 CWE-665 CWE-840 CWE-200 CWE-300 CWE-125 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #9 is available. Vulnerability #23 is being exploited in the wild. Vulnerability #24 is being exploited in the wild. Vulnerability #25 is being exploited in the wild. Public exploit code for vulnerability #26 is available. Vulnerability #27 is being exploited in the wild. Vulnerability #28 is being exploited in the wild. Vulnerability #37 is being exploited in the wild. |
| Vulnerable software Subscribe |
SUSE Enterprise Storage Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Linux Enterprise Module for Desktop Applications Operating systems & Components / Operating system SUSE Linux Enterprise Module for Basesystem Operating systems & Components / Operating system libwebkit2gtk3-lang Operating systems & Components / Operating system package or component webkit2gtk3-devel Operating systems & Components / Operating system package or component webkit2gtk3-debugsource Operating systems & Components / Operating system package or component webkit2gtk-4_0-injected-bundles-debuginfo Operating systems & Components / Operating system package or component webkit2gtk-4_0-injected-bundles Operating systems & Components / Operating system package or component typelib-1_0-WebKit2WebExtension-4_0 Operating systems & Components / Operating system package or component typelib-1_0-WebKit2-4_0 Operating systems & Components / Operating system package or component typelib-1_0-JavaScriptCore-4_0 Operating systems & Components / Operating system package or component libwebkit2gtk-4_0-37-debuginfo Operating systems & Components / Operating system package or component libwebkit2gtk-4_0-37 Operating systems & Components / Operating system package or component libjavascriptcoregtk-4_0-18-debuginfo Operating systems & Components / Operating system package or component libjavascriptcoregtk-4_0-18 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 43 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU23156
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8766
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU23157
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8782
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU23159
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8808
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU23164
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8815
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU32874
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13753
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU48190
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-27918
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing web content within WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Incomplete cleanup
EUVDB-ID: #VU51625
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-29623
CWE-ID:
CWE-459 - Incomplete cleanup
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to software fails to to fully delete browsing history under certain circumstances via the “Clear History and Website Data” option. An attacker with access to the system can obtain browsing data after cleanup.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU26431
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3902
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU32958
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-9802
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Memory corruption
EUVDB-ID: #VU32959
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9803
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Universal cross-site scripting
EUVDB-ID: #VU32960
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9805
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Use-after-free
EUVDB-ID: #VU51626
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9947
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing web content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Type Confusion
EUVDB-ID: #VU46801
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9948
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit component in Apple Safari. A remote attacker can trick the victim to visit a specially crafted web page, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Use-after-free
EUVDB-ID: #VU46802
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9951
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the aboutBlankURL() function in WebKit component in Apple Safari. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Cross-site scripting
EUVDB-ID: #VU46803
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9952
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in WebKit component in Apple Safari. A remote attacker can trick the victim to open a specially crafted link and execute arbitrary HTML and script code in user's browser in context of a website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Security restrictions bypass
EUVDB-ID: #VU50232
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1765
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose sanboxing policy in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass implemented security restrictions.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Use-after-free
EUVDB-ID: #VU50231
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1788
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Buffer overflow
EUVDB-ID: #VU52674
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1817
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper Initialization
EUVDB-ID: #VU52673
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1820
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper memory initialization in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it and disclose contents of process memory.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Universal cross-site scripting
EUVDB-ID: #VU52643
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1825
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Universal cross-site scripting
EUVDB-ID: #VU52672
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1826
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within WebKit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Buffer overflow
EUVDB-ID: #VU51268
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1844
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Business Logic Errors
EUVDB-ID: #VU50044
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-1871
CWE-ID:
CWE-840 - Business Logic Errors (3.0)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a logic issue in the WebKit component. A remote attacker can trick a victim to visit a malicious website and execute arbitrary code on the system.
Note: The vulnerability is being actively exploited in the wild.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
24) Use-after-free
EUVDB-ID: #VU52652
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-30661
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
25) Buffer overflow
EUVDB-ID: #VU52816
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-30666
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
26) Information disclosure
EUVDB-ID: #VU53498
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-30682
CWE-ID:
CWE-200 - Information exposure
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in webKit. A remote attacker can gain unauthorized access to sensitive user information.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
27) Buffer overflow
EUVDB-ID: #VU54102
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-30761
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
28) Use-after-free
EUVDB-ID: #VU54103
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-30762
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
29) Use-after-free
EUVDB-ID: #VU58701
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30809
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Type Confusion
EUVDB-ID: #VU58697
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30818
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Man-in-the-Middle (MitM) attack
EUVDB-ID: #VU57739
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30823
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in WebKit. A remote attacker can bypass HSTS and perform MitM attack.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Out-of-bounds read
EUVDB-ID: #VU58699
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30836
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Memory corruption
EUVDB-ID: #VU56730
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30846
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Memory corruption
EUVDB-ID: #VU56731
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30848
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Memory corruption
EUVDB-ID: #VU56732
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30849
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Memory corruption
EUVDB-ID: #VU56733
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30851
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Use-after-free
EUVDB-ID: #VU56475
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-30858
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in-the-wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
38) Information disclosure
EUVDB-ID: #VU58696
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30884
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in the WebKit component when processing CSS files. A remote attacker can trick the victim to open a specially crafted website and obtain user's browsing history.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Security restrictions bypass
EUVDB-ID: #VU57740
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30887
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due an error within the WebKit component. A remote attacker can trick the victim to open a specially crafted website and bypass Content Security Policy restrictions.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Information disclosure
EUVDB-ID: #VU57741
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30888
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in WebKit. A malicious website using Content Security Policy reports may be able to leak information via redirect behavior.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Buffer overflow
EUVDB-ID: #VU57742
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30889
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Universal Cross-site scripting
EUVDB-ID: #VU57744
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30890
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in WebKLit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
43) Information disclosure
EUVDB-ID: #VU58677
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30897
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in the WebKit specification for the resource timing API. A remote attacker can exfiltrate cross-origin data, if the victim visits a specially crafted website.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP2-LTSS
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
libwebkit2gtk3-lang: before 2.34.3-23.3
webkit2gtk3-devel: before 2.34.3-23.3
webkit2gtk3-debugsource: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.3-23.3
webkit2gtk-4_0-injected-bundles: before 2.34.3-23.3
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.3-23.3
typelib-1_0-WebKit2-4_0: before 2.34.3-23.3
typelib-1_0-JavaScriptCore-4_0: before 2.34.3-23.3
libwebkit2gtk-4_0-37-debuginfo: before 2.34.3-23.3
libwebkit2gtk-4_0-37: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.3-23.3
libjavascriptcoregtk-4_0-18: before 2.34.3-23.3
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220182-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
