Bug 2223000 (CVE-2023-37450) - CVE-2023-37450 webkitgtk: arbitrary code execution
Summary: CVE-2023-37450 webkitgtk: arbitrary code execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-37450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2218789 2218792 2223001 2223002 2223003 2223004 2223005 2223006 2223007
Blocks: 2222999
TreeView+ depends on / blocked
 
Reported: 2023-07-14 20:06 UTC by Marco Benatto
Modified: 2023-08-11 14:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution.
Clone Of:
Environment:
Last Closed: 2023-07-22 01:57:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Marco Benatto 2023-07-14 20:06:56 UTC 
Processing web content may lead to arbitrary code execution
Comment 1 Marco Benatto 2023-07-14 20:08:35 UTC 
Created webkitgtk tracking bugs for this issue:

Affects: fedora-all [bug 2223001]
Comment 5 Salvatore Bonaccorso 2023-07-21 04:46:49 UTC 
Hi

While triaging new CVEs w found this entry, but the details are very light. Can you share
if this is something known upstream, if there is an upstream issue an fix, and wihch versions
are affected by the issue?

Regards,
Salvatore
Comment 6 Michael Catanzaro 2023-07-21 12:48:53 UTC 
This is fixed in WebKitGTK 2.40.3 by https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07. That's all I know.
Comment 7 Michael Catanzaro 2023-07-21 12:49:51 UTC 
Um, sorry. It's fixed in 2.40.4. I'm off by one.
Comment 8 Marco Benatto 2023-07-21 21:15:51 UTC 
This flaw is currently fixed by the advisory:
https://access.redhat.com/errata/RHSA-2023:4201 [rhel-9.2.z]
https://access.redhat.com/errata/RHSA-2023:4202 [rhel-8.8.z]
Comment 9 Product Security DevOps Team 2023-08-01 06:58:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-37450
Note You need to log in before you can comment on or make changes to this bug.