CVE-2020-13584 — Use After Free in Webkitgtk

CWE-416 — Use After Free7 documents6 sources

Severity

8.8HIGHNVD

EPSS

1.2%

top 21.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Webkit2gtk Debian Wpewebkit Fedoraproject Fedora +1 more

Timeline

PublishedDec 3

Latest updateMay 24

Description

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDwebkitgtk/webkitgtk2.30.1

▶debiandebian/wpewebkit< webkit2gtk 2.30.3-1 (bookworm)

▶debiandebian/webkit2gtk< webkit2gtk 2.30.3-1 (bookworm)

Also affects: Fedora 32

🔴Vulnerability Details

GHSA

GHSA-w3wx-pfgj-qgv3: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2↗2022-05-24

▶

OSV

CVE-2020-13584: An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2↗2020-12-03

▶

📋Vendor Advisories

Red Hat

webkitgtk: use-after-free may lead to arbitrary code execution↗2020-11-23

▶

Debian

CVE-2020-13584: webkit2gtk - An exploitable use-after-free vulnerability exists in WebKitGTK browser version ...↗2020

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Multiple vulnerabilities in WebKit↗2020-11-30

▶

Talos

Vulnerability Spotlight: Multiple vulnerabilities in WebKit↗2020-11-30

▶