CVE-2020-13584
published 2020-12-03CVE-2020-13584: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free…
PriorityP348high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
4.45%
90.2th percentile
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | webkit2gtk | < webkit2gtk 2.30.3-1 (bookworm) | webkit2gtk 2.30.3-1 (bookworm) |
| debian | wpewebkit | < webkit2gtk 2.30.3-1 (bookworm) | webkit2gtk 2.30.3-1 (bookworm) |
| fedoraproject | fedora | — | — |
| webkitgtk | webkitgtk | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w3wx-pfgj-qgv3: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2
ghsa_unreviewed·2022-05-24
CVE-2020-13584 [HIGH] CWE-416 GHSA-w3wx-pfgj-qgv3: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
OSV
CVE-2020-13584: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2
osv·2020-12-03·CVSS 8.8
CVE-2020-13584 [HIGH] CVE-2020-13584: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
Red Hat
webkitgtk: use-after-free may lead to arbitrary code execution
vendor_redhat·2020-11-23·CVSS 8.8
CVE-2020-13584 [HIGH] CWE-416 webkitgtk: use-after-free may lead to arbitrary code execution
webkitgtk: use-after-free may lead to arbitrary code execution
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webkitgtk3 (Red Hat Enterprise Linux 7) - Out of support scope
Debian
CVE-2020-13584: webkit2gtk - An exploitable use-after-free vulnerability exists in WebKitGTK browser version ...
vendor_debian·2020·CVSS 8.8
CVE-2020-13584 [HIGH] CVE-2020-13584: webkit2gtk - An exploitable use-after-free vulnerability exists in WebKitGTK browser version ...
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 2.30.3-1)
bullseye: resolved (fixed in 2.30.3-1)
forky: resolved (fixed in 2.30.3-1)
sid: resolved (fixed in 2.30.3-1)
trixie: resolved (fixed in 2.30.3-1)
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple vulnerabilities in WebKit
blogs_talos·2020-11-30·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in WebKit
Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
### Executive summary
The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit.
In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that these issues are resolved and that an update is available for affected customers.
### Vulnerability details
Webkit WebSocket code execution vulnerability (TALOS-2020-1155/CVE-2020-13543)
A code execu
Talos
Vulnerability Spotlight: Multiple vulnerabilities in WebKit
blogs_talos·2020-11-30·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in WebKit
## Vulnerability Spotlight: Multiple vulnerabilities in WebKit
Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
## Executive summary
The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit.
In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details
Webkit WebSocket code executio
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BY2OBQZFMEFZOSWXPXHPEHOJXXILEEX2/https://security.gentoo.org/glsa/202012-10https://talosintelligence.com/vulnerability_reports/TALOS-2020-1195https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BY2OBQZFMEFZOSWXPXHPEHOJXXILEEX2/https://security.gentoo.org/glsa/202012-10https://talosintelligence.com/vulnerability_reports/TALOS-2020-1195
2020-12-03
Published