CVE-2020-13543
published 2020-12-03CVE-2020-13543: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free…
PriorityP351high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
3.27%
86.9th percentile
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | webkit2gtk | < webkit2gtk 2.30.3-1 (bookworm) | webkit2gtk 2.30.3-1 (bookworm) |
| debian | wpewebkit | < webkit2gtk 2.30.3-1 (bookworm) | webkit2gtk 2.30.3-1 (bookworm) |
| webkitgtk | webkitgtk | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
webkitgtk: use-after-free may lead to arbitrary code execution
vendor_redhat·2020-11-30·CVSS 8.8
CVE-2020-13543 [HIGH] CWE-825 webkitgtk: use-after-free may lead to arbitrary code execution
webkitgtk: use-after-free may lead to arbitrary code execution
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webkitgtk3 (Red Hat Enterprise Linux 7) - Out of support scope
Debian
CVE-2020-13543: webkit2gtk - A code execution vulnerability exists in the WebSocket functionality of Webkit W...
vendor_debian·2020·CVSS 8.8
CVE-2020-13543 [HIGH] CVE-2020-13543: webkit2gtk - A code execution vulnerability exists in the WebSocket functionality of Webkit W...
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 2.30.3-1)
bullseye: resolved (fixed in 2.30.3-1)
forky: resolved (fixed in 2.30.3-1)
sid: resolved (fixed in 2.30.3-1)
trixie: resolved (fixed in 2.30.3-1)
GHSA
GHSA-mqwf-vg2c-5ch3: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2
ghsa_unreviewed·2022-05-24
CVE-2020-13543 [HIGH] CWE-416 GHSA-mqwf-vg2c-5ch3: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
OSV
CVE-2020-13543: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2
osv·2020-12-03·CVSS 8.8
CVE-2020-13543 [HIGH] CVE-2020-13543: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple vulnerabilities in WebKit
blogs_talos·2020-11-30·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in WebKit
Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
### Executive summary
The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit.
In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that these issues are resolved and that an update is available for affected customers.
### Vulnerability details
Webkit WebSocket code execution vulnerability (TALOS-2020-1155/CVE-2020-13543)
A code execu
Talos
Vulnerability Spotlight: Multiple vulnerabilities in WebKit
blogs_talos·2020-11-30·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in WebKit
## Vulnerability Spotlight: Multiple vulnerabilities in WebKit
Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
## Executive summary
The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit.
In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details
Webkit WebSocket code executio
https://security.gentoo.org/glsa/202012-10https://talosintelligence.com/vulnerability_reports/TALOS-2020-1155https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://security.gentoo.org/glsa/202012-10https://talosintelligence.com/vulnerability_reports/TALOS-2020-1155https://www.oracle.com/security-alerts/cpuapr2022.html
2020-12-03
Published