CVE-2020-13558 — Use After Free in Webkitgtk

CWE-416 — Use After Free8 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 30.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Webkit2gtk Debian Wpewebkit Webkitgtk

Timeline

PublishedMar 3

Latest updateMay 24

Description

A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2.30.1. A specially crafted web page can lead to a use after free.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDwebkitgtk/webkitgtk2.30.1

▶debiandebian/wpewebkit< webkit2gtk 2.30.5-1 (bookworm)

▶debiandebian/webkit2gtk< webkit2gtk 2.30.5-1 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-qhvm-2jxc-mqxw: A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2↗2022-05-24

▶

OSV

CVE-2020-13558: A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2↗2021-03-03

▶

📋Vendor Advisories

Ubuntu

WebKitGTK vulnerability↗2021-02-18

▶

Red Hat

webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution↗2021-02-15

▶

Debian

CVE-2020-13558: webkit2gtk - A code execution vulnerability exists in the AudioSourceProviderGStreamer functi...↗2020

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Remote code execution vulnerability in WebKit WebAudio API↗2021-03-03

▶

Talos

Vulnerability Spotlight: Remote code execution vulnerability in WebKit WebAudio API↗2021-03-03

▶