CVE-2023-38133 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to YeongHyeon Choi (@hyeon101010). Impact: Processing web content may disclose sensitive information. Description: The issue was addressed with improved checks. CVE-2023-38572 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India. Impact: A website may be able to bypass Same Origin Policy. Description: The issue was addressed with improved checks. CVE-2023-38592 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese of TU Wien. Impact: Processing web content may lead to arbitrary code execution. Description: A logic issue was addressed with improved restrictions. CVE-2023-38594 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Yuhao Hu. Impact: Processing web content may lead to arbitrary code execution. Description: The issue was addressed with improved checks. CVE-2023-38595 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to an anonymous researcher, Jiming Wang, and Jikai Ren. Impact: Processing web content may lead to arbitrary code execution. Description: The issue was addressed with improved checks. CVE-2023-38597 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to 이준성(Junsung Lee) of Cross Republic. Impact: Processing web content may lead to arbitrary code execution. Description: The issue was addressed with improved checks. CVE-2023-38599 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, and Yuval Yarom. Impact: A website may be able to track sensitive user information. Description: A logic issue was addressed with improved state management. CVE-2023-38600 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Anonymous working with Trend Micro Zero Day Initiative. Impact: Processing web content may lead to arbitrary code execution. Description: The issue was addressed with improved checks. CVE-2023-38611 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Francisco Alonso (@revskills). Impact: Processing web content may lead to arbitrary code execution. Description: The issue was addressed with improved memory handling.
CVE-2023-40397 (http://www.openwall.com/lists/oss-security/2023/09/11/1): The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5. A remote attacker may be able to cause arbitrary javascript code execution. According to WSA-2023-0008 (https://webkitgtk.org/security/WSA-2023-0008.html): "CVE-2023-40397 Versions affected: WebKitGTK and WPE WebKit before 2.40.5. Credit to Johan Carlsson (joaxcar). Impact: A remote attacker may be able to cause arbitrary javascript code execution. Description: The issue was addressed with improved checks."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a3a0841120687c62c97e02dfd392564da420eec4 commit a3a0841120687c62c97e02dfd392564da420eec4 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-05 13:00:45 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-05 13:01:13 +0000 [ GLSA 202401-04 ] WebKitGTK+: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/907818 Bug: https://bugs.gentoo.org/909663 Bug: https://bugs.gentoo.org/910656 Bug: https://bugs.gentoo.org/918087 Bug: https://bugs.gentoo.org/918099 Bug: https://bugs.gentoo.org/919290 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-04.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+)
