Bug 2223000 (CVE-2023-37450) - CVE-2023-37450 webkitgtk: arbitrary code execution
Summary: CVE-2023-37450 webkitgtk: arbitrary code execution
Alias: CVE-2023-37450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2218789 2218792 2223001 2223002 2223003 2223004 2223005 2223006 2223007
Blocks: 2222999
TreeView+ depends on / blocked
Reported: 2023-07-14 20:06 UTC by Marco Benatto
Modified: 2023-08-11 14:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution.
Clone Of:
Last Closed: 2023-07-22 01:57:03 UTC

Attachments (Terms of Use)

Description Marco Benatto 2023-07-14 20:06:56 UTC
Processing web content may lead to arbitrary code execution

Comment 1 Marco Benatto 2023-07-14 20:08:35 UTC
Created webkitgtk tracking bugs for this issue:

Affects: fedora-all [bug 2223001]

Comment 5 Salvatore Bonaccorso 2023-07-21 04:46:49 UTC

While triaging new CVEs w found this entry, but the details are very light. Can you share
if this is something known upstream, if there is an upstream issue an fix, and wihch versions
are affected by the issue?


Comment 6 Michael Catanzaro 2023-07-21 12:48:53 UTC
This is fixed in WebKitGTK 2.40.3 by https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07. That's all I know.

Comment 7 Michael Catanzaro 2023-07-21 12:49:51 UTC
Um, sorry. It's fixed in 2.40.4. I'm off by one.

Comment 8 Marco Benatto 2023-07-21 21:15:51 UTC
This flaw is currently fixed by the advisory:
https://access.redhat.com/errata/RHSA-2023:4201 [rhel-9.2.z]
https://access.redhat.com/errata/RHSA-2023:4202 [rhel-8.8.z]

Comment 9 Product Security DevOps Team 2023-08-01 06:58:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.