Buffer overflow in WebKitGTK+ and WPE WebKit

#VU23160 Buffer overflow in WebKitGTK+ and WPE WebKit

Published: 2019-12-02

Vulnerability identifier: #VU23160

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2019-8811

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
WebKitGTK+
Server applications / Frameworks for developing and running applications
WPE WebKit
Server applications / Frameworks for developing and running applications

Vendor: WebKitGTK

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

WebKitGTK+: 1.2.0 - 2.26.0

WPE WebKit: 0.1 - 2.26.0

Fixed software versions

CPE

cpe:2.3:a:webkitgtk:webkitgtk:2.9.92:*:*:*:*:*:*:*

External links
http://webkitgtk.org/security/WSA-2019-0006.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Service Telemetry Framework

Multiple vulnerabilities in Red Hat Quay

Multiple vulnerabilities in Red Hat OpenShift Container Storage

Red Hat Enterprise Linux 8 update for GNOME

OpenSUSE Linux update for webkit2gtk3

Buffer overflow in webkit2gtk (Alpine package)

Multiple vulnerabilities in WebKitGTK and WPE WebKit