CVE-2020-13543 — Use After Free in Webkitgtk

CWE-416 — Use After Free CWE-825 — Expired Pointer Dereference7 documents6 sources

Severity

8.8HIGHNVD

EPSS

1.5%

top 18.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Webkit2gtk Debian Wpewebkit Webkitgtk

Timeline

PublishedDec 3

Latest updateMay 24

Description

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDwebkitgtk/webkitgtk2.30.0

▶debiandebian/wpewebkit< webkit2gtk 2.30.3-1 (bookworm)

▶debiandebian/webkit2gtk< webkit2gtk 2.30.3-1 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-mqwf-vg2c-5ch3: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2↗2022-05-24

▶

OSV

CVE-2020-13543: A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2↗2020-12-03

▶

📋Vendor Advisories

Red Hat

webkitgtk: use-after-free may lead to arbitrary code execution↗2020-11-30

▶

Debian

CVE-2020-13543: webkit2gtk - A code execution vulnerability exists in the WebSocket functionality of Webkit W...↗2020

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Multiple vulnerabilities in WebKit↗2020-11-30

▶

Talos

Vulnerability Spotlight: Multiple vulnerabilities in WebKit↗2020-11-30

▶