Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNjQ2LWdqNXAtcDQ1Z84AA1_1
CefSharp affected by heap buffer overflow in WebP
Google is aware that an exploit for CVE-2023-4863 exists in the wild.
Description
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
References
- https://www.cve.org/CVERecord?id=CVE-2023-4863
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
- https://www.techtarget.com/searchsecurity/news/366551978/Browser-companies-patch-critical-zero-day-vulnerability
Updated
There is another related security vulnerability.
There's another related CVE (CVE-2023-5217) that is fixed in Chromium 117.0.5938.132. This one is triggered by WebCodecs API encoder usage, so a workaround for older versions is to disable the WebCodecs API (
--disable-blink-features=WebCodecs
).
As per https://magpcss.org/ceforum/viewtopic.php?f=6&t=19551#p54150
Permalink: https://github.com/advisories/GHSA-j646-gj5p-p45gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNjQ2LWdqNXAtcDQ1Z84AA1_1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-j646-gj5p-p45g
References:
- https://github.com/cefsharp/CefSharp/security/advisories/GHSA-j646-gj5p-p45g
- https://github.com/cefsharp/CefSharp/commit/f2890ba66170afb0bf742839febe4d20449f758c
- https://github.com/cefsharp/CefSharp/releases/tag/v116.0.230
- https://github.com/advisories/GHSA-j646-gj5p-p45g
Blast Radius: 1.0
Affected Packages
nuget:CefSharp.Common.NETCore
Dependent packages: 18Dependent repositories: 0
Downloads: 1,116,846 total
Affected Version Ranges: < 116.0.230
Fixed in: 116.0.230
All affected versions: 87.1.132, 88.2.90, 89.0.170, 90.6.50, 90.6.70, 91.1.160, 91.1.210, 91.1.211, 91.1.230, 92.0.251, 92.0.260, 93.1.111, 93.1.140, 94.4.20, 94.4.50, 94.4.110, 95.7.141, 96.0.141, 96.0.142, 96.0.170, 96.0.180, 97.1.11, 97.1.12, 97.1.60, 97.1.61, 98.1.190, 98.1.210, 99.2.90, 99.2.120, 99.2.140, 100.0.140, 100.0.230, 101.0.150, 101.0.180, 102.0.90, 102.0.100, 103.0.80, 103.0.90, 103.0.120, 104.4.180, 104.4.240, 105.3.330, 105.3.390, 106.0.260, 106.0.290, 107.1.40, 107.1.50, 107.1.90, 107.1.120, 108.4.130, 109.1.110, 110.0.250, 110.0.280, 110.0.300, 111.2.20, 111.2.70, 112.2.70, 112.3.0, 113.1.40, 113.3.50, 114.2.100, 114.2.120, 115.3.110, 115.3.130, 116.0.130, 116.0.150, 116.0.190
All unaffected versions: 116.0.230, 117.2.20, 117.2.40, 118.6.80, 119.1.20, 119.4.30, 120.1.80, 120.1.110, 120.2.50, 120.2.70, 121.3.70, 121.3.130, 122.1.120, 123.0.60, 124.3.20, 124.3.50, 124.3.80, 125.0.210, 126.2.70, 126.2.180, 127.3.50, 128.4.90, 129.0.110, 130.1.90
nuget:CefSharp.Common
Dependent packages: 27Dependent repositories: 0
Downloads: 7,790,968 total
Affected Version Ranges: < 116.0.230
Fixed in: 116.0.230
All affected versions: 33.0.0, 33.0.2, 37.0.0, 37.0.1, 37.0.2, 37.0.3, 39.0.0, 39.0.1, 39.0.2, 41.0.0, 41.0.1, 43.0.0, 43.0.1, 45.0.0, 47.0.0, 47.0.1, 47.0.2, 47.0.3, 47.0.4, 49.0.0, 49.0.1, 51.0.0, 53.0.0, 53.0.1, 55.0.0, 57.0.0, 63.0.0, 63.0.1, 63.0.2, 63.0.3, 65.0.0, 65.0.1, 67.0.0, 69.0.0, 71.0.0, 71.0.1, 71.0.2, 73.1.130, 75.1.141, 75.1.142, 75.1.143, 79.1.350, 79.1.360, 81.3.100, 83.4.20, 84.4.10, 85.3.121, 85.3.130, 86.0.241, 87.1.132, 88.2.90, 89.0.170, 90.6.50, 90.6.70, 91.1.160, 91.1.210, 91.1.211, 91.1.230, 92.0.251, 92.0.260, 93.1.111, 93.1.140, 94.4.20, 94.4.50, 94.4.110, 95.7.141, 96.0.141, 96.0.142, 96.0.170, 96.0.180, 97.1.11, 97.1.12, 97.1.60, 97.1.61, 98.1.190, 98.1.210, 99.2.90, 99.2.120, 99.2.140, 100.0.140, 100.0.230, 101.0.150, 101.0.180, 102.0.90, 102.0.100, 103.0.80, 103.0.90, 103.0.120, 104.4.180, 104.4.240, 105.3.330, 105.3.390, 106.0.260, 106.0.290, 107.1.40, 107.1.50, 107.1.90, 107.1.120, 108.4.130, 109.1.110, 110.0.250, 110.0.280, 110.0.300, 111.2.20, 111.2.70, 112.2.70, 112.3.0, 113.1.40, 113.3.50, 114.2.100, 114.2.120, 115.3.110, 115.3.130, 116.0.130, 116.0.150, 116.0.190
All unaffected versions: 116.0.230, 117.2.20, 117.2.40, 118.6.80, 119.1.20, 119.4.30, 120.1.80, 120.1.110, 120.2.50, 120.2.70, 121.3.70, 121.3.130, 122.1.120, 123.0.60, 124.3.20, 124.3.50, 124.3.80, 125.0.210, 126.2.70, 126.2.180, 127.3.50, 128.4.90, 129.0.110, 130.1.90