=====================================================================

                              CERT-Renater

                    Note d'Information No. 2023/VULN307

_____________________________________________________________________

DATE                : 12/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running WebKitGTK, WPE WebKit versions
                                       prior to 2.40.5.

=====================================================================
https://webkitgtk.org/security/WSA-2023-0008.html
https://wpewebkit.org/security/WSA-2023-0008.html
_____________________________________________________________________

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2023-0008
------------------------------------------------------------------------

Date reported           : September 11, 2023
Advisory ID             : WSA-2023-0008
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2023-0008.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2023-0008.html
CVE identifiers         : CVE-2023-28198, CVE-2023-32370,
                           CVE-2023-40397.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2023-28198
     Versions affected: WebKitGTK and WPE WebKit before 2.40.1.
     Credit to hazbinhotel working with Trend Micro Zero Day Initiative.
     Impact: Processing web content may lead to arbitrary code execution.
     Description: A use-after-free issue was addressed with improved
     memory management.

CVE-2023-32370
     Versions affected: WebKitGTK and WPE WebKit before 2.40.1.
     Credit to Gertjan Franken of imec-DistriNet, KU Leuven.
     Impact: Content Security Policy to block domains with wildcards
     may fail. Description: A logic issue was addressed with improved
     validation.

CVE-2023-40397
     Versions affected: WebKitGTK and WPE WebKit before 2.40.5.
     Credit to Johan Carlsson (joaxcar).
     Impact: A remote attacker may be able to cause arbitrary javascript
     code execution. Description: The issue was addressed with improved
     checks.


We recommend updating to the latest stable versions of WebKitGTK and
WPE WebKit. It is the best way to ensure that you are running safe
versions of WebKit. Please check our websites for information about
the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK and WPE WebKit team,
September 11, 2023


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================