Gentoo update for WebkitGTK+



Published: 2022-02-01
Risk Critical
Patch available YES
Number of vulnerabilities 50
CVE-ID CVE-2021-1788
CVE-2021-1817
CVE-2021-1820
CVE-2021-1825
CVE-2021-1826
CVE-2021-1844
CVE-2021-1871
CVE-2021-21775
CVE-2021-21779
CVE-2021-21806
CVE-2021-30661
CVE-2021-30663
CVE-2021-30665
CVE-2021-30666
CVE-2021-30682
CVE-2021-30689
CVE-2021-30720
CVE-2021-30734
CVE-2021-30744
CVE-2021-30749
CVE-2021-30758
CVE-2021-30761
CVE-2021-30762
CVE-2021-30795
CVE-2021-30797
CVE-2021-30799
CVE-2021-30809
CVE-2021-30818
CVE-2021-30823
CVE-2021-30836
CVE-2021-30846
CVE-2021-30848
CVE-2021-30849
CVE-2021-30851
CVE-2021-30858
CVE-2021-30884
CVE-2021-30887
CVE-2021-30888
CVE-2021-30889
CVE-2021-30890
CVE-2021-30897
CVE-2021-30934
CVE-2021-30936
CVE-2021-30951
CVE-2021-30952
CVE-2021-30953
CVE-2021-30954
CVE-2021-30984
CVE-2021-42762
CVE-2021-45482
CWE-ID CWE-416
CWE-119
CWE-665
CWE-79
CWE-840
CWE-190
CWE-200
CWE-254
CWE-843
CWE-20
CWE-300
CWE-125
CWE-264
CWE-362
Exploitation vector Network
Public exploit Vulnerability #7 is being exploited in the wild.
Public exploit code for vulnerability #8 is available.
Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #10 is available.
Vulnerability #11 is being exploited in the wild.
Vulnerability #12 is being exploited in the wild.
Vulnerability #13 is being exploited in the wild.
Vulnerability #14 is being exploited in the wild.
Public exploit code for vulnerability #15 is available.
Vulnerability #22 is being exploited in the wild.
Vulnerability #23 is being exploited in the wild.
Vulnerability #35 is being exploited in the wild.
Vulnerable software
Subscribe
Gentoo Linux
Operating systems & Components / Operating system

Vendor Gentoo

Security Bulletin

This security bulletin contains information about 50 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU50231

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1788

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU52674

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1817

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing web content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Initialization

EUVDB-ID: #VU52673

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1820

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper memory initialization in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it and disclose contents of process memory.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Universal cross-site scripting

EUVDB-ID: #VU52643

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1825

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Universal cross-site scripting

EUVDB-ID: #VU52672

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1826

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within WebKit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU51268

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1844

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing web content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Business Logic Errors

EUVDB-ID: #VU50044

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-1871

CWE-ID: CWE-840 - Business Logic Errors (3.0)

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to a logic issue in the WebKit component. A remote attacker can trick a victim to visit a malicious website and execute arbitrary code on the system.

Note: The vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

8) Use-after-free

EUVDB-ID: #VU53782

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-21775

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

9) Use-after-free

EUVDB-ID: #VU53497

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-21779

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) Use-after-free

EUVDB-ID: #VU53781

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-21806

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Use-after-free

EUVDB-ID: #VU52652

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30661

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

12) Integer overflow

EUVDB-ID: #VU52814

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30663

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

13) Buffer overflow

EUVDB-ID: #VU52815

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30665

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

14) Buffer overflow

EUVDB-ID: #VU52816

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30666

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

15) Information disclosure

EUVDB-ID: #VU53498

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-30682

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in webKit. A remote attacker can gain unauthorized access to sensitive user information.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

16) Universal cross-site scripting

EUVDB-ID: #VU53499

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30689

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in WebKit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Security features bypass

EUVDB-ID: #VU53502

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30720

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in WebKit due to the way the component handles links to internal resources. A remote attacker can create a specially crafted web page and trick the application to connect to arbitrary internal addresses.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU53501

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30734

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web oage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Universal cross-site scripting

EUVDB-ID: #VU53496

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30744

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in WebKit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Buffer overflow

EUVDB-ID: #VU53500

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30749

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content within the KeyframeEffect class in WebKit. A remote attacker can create a specially crafted web oage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Type Confusion

EUVDB-ID: #VU55217

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30758

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Buffer overflow

EUVDB-ID: #VU54102

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30761

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

23) Use-after-free

EUVDB-ID: #VU54103

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30762

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

24) Use-after-free

EUVDB-ID: #VU55218

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30795

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Input validation error

EUVDB-ID: #VU55219

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30797

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in WebKit. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code on the system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Buffer overflow

EUVDB-ID: #VU55220

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30799

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Use-after-free

EUVDB-ID: #VU58701

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30809

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Type Confusion

EUVDB-ID: #VU58697

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30818

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Man-in-the-Middle (MitM) attack

EUVDB-ID: #VU57739

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30823

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in WebKit. A remote attacker can bypass HSTS and perform MitM attack.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Out-of-bounds read

EUVDB-ID: #VU58699

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30836

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Memory corruption

EUVDB-ID: #VU56730

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30846

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Memory corruption

EUVDB-ID: #VU56731

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30848

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Memory corruption

EUVDB-ID: #VU56732

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30849

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Memory corruption

EUVDB-ID: #VU56733

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30851

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Use-after-free

EUVDB-ID: #VU56475

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-30858

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note, the vulnerability is being actively exploited in-the-wild.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

36) Information disclosure

EUVDB-ID: #VU58696

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30884

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in the WebKit component when processing CSS files. A remote attacker can trick the victim to open a specially crafted website and obtain user's browsing history.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Security restrictions bypass

EUVDB-ID: #VU57740

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30887

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due an error within the WebKit component. A remote attacker can trick the victim to open a specially crafted website and bypass Content Security Policy restrictions.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Information disclosure

EUVDB-ID: #VU57741

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30888

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in WebKit. A malicious website using Content Security Policy reports may be able to leak information via redirect behavior.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Buffer overflow

EUVDB-ID: #VU57742

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30889

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Universal Cross-site scripting

EUVDB-ID: #VU57744

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30890

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in WebKLit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Information disclosure

EUVDB-ID: #VU58677

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30897

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in the WebKit specification for the resource timing API. A remote attacker can exfiltrate cross-origin data, if the victim visits a specially crafted website.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Buffer overflow

EUVDB-ID: #VU58885

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30934

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Use-after-free

EUVDB-ID: #VU58886

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30936

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in WebKit when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Use-after-free

EUVDB-ID: #VU58887

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30951

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in WebKit when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Integer overflow

EUVDB-ID: #VU58888

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30952

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Out-of-bounds read

EUVDB-ID: #VU58890

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30953

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it using the affected software, trigger out-of-bounds read error and execute arbitrary code on the target system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Type Confusion

EUVDB-ID: #VU58891

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30954

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Race condition

EUVDB-ID: #VU58889

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30984

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition in WebKit. A local user can trick the victim to visit a specially crafted website, trigger a race condition and execute arbitrary code on the system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Security restrictions bypass

EUVDB-ID: #VU57811

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42762

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists in BubblewrapLauncher.cpp due to application allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox. A local user can abuse the VFS syscalls that manipulate its filesystem namespace and bypass implemented security restrictions. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Use-after-free

EUVDB-ID: #VU59919

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-45482

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when in WebCore::ContainerNode::firstChild. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected packages.
net-libs/webkit-gtk to version: 2.34.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202202-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###