SUSE update for webkit2gtk3
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU58885
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30934
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU58886
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30936
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebKit when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU58887
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30951
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebKit when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Integer overflow
EUVDB-ID: #VU58888
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30952
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU58890
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30953
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it using the affected software, trigger out-of-bounds read error and execute arbitrary code on the target system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Type Confusion
EUVDB-ID: #VU58891
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30954
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Race condition
EUVDB-ID: #VU58889
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30984
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a race condition in WebKit. A local user can trick the victim to visit a specially crafted website, trigger a race condition and execute arbitrary code on the system.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU59918
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-45481
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebCore::ImageBufferCairoImageSurfaceBackend::create. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and perform a denial of service (DoS) attack.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU59919
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-45482
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when in WebCore::ContainerNode::firstChild. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free
EUVDB-ID: #VU59920
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-45483
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebCore::Frame::page. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Code Injection
EUVDB-ID: #VU60036
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22589
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code on the system.
The vulnerability exists due to improper input validation in WebKit when processing email messages. A remote attacker can trick the victim to open a specially crafted email message and execute arbitrary JavaScript code on the system.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Use-after-free
EUVDB-ID: #VU60037
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22590
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Security features bypass
EUVDB-ID: #VU60038
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22592
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a logic issue when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it and prevent Content Security Policy from being enforced.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Information disclosure
EUVDB-ID: #VU60039
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22594
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a cross-origin issue in the IndexDB API within the WebKit Storage. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information, locally stored by WebKit.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Use-after-free
EUVDB-ID: #VU60520
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2022-22620
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Realtime Extension: 15-SP2
SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4
SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Retail Branch Server: 4.1
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise Module for Basesystem: 15-SP3 - 15-SP4
SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4
SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
libwebkit2gtk3-lang: before 2.34.6-29.1
webkit2gtk3-devel: before 2.34.6-29.1
webkit2gtk3-debugsource: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.34.6-29.1
webkit2gtk-4_0-injected-bundles: before 2.34.6-29.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.34.6-29.1
typelib-1_0-WebKit2-4_0: before 2.34.6-29.1
typelib-1_0-JavaScriptCore-4_0: before 2.34.6-29.1
libwebkit2gtk-4_0-37-debuginfo: before 2.34.6-29.1
libwebkit2gtk-4_0-37: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.34.6-29.1
libjavascriptcoregtk-4_0-18: before 2.34.6-29.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220705-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
