GHSA-j646-gj5p-p45g – cefsharp.common

Package

Manager: nuget
Name: cefsharp.common
Vulnerable Version: >=0 <116.0.230

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

CefSharp affected by heap buffer overflow in WebP **Google is aware that an exploit for [CVE-2023-4863](https://www.cve.org/CVERecord?id=CVE-2023-4863) exists in the wild.** ### Description Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) ### References - https://www.cve.org/CVERecord?id=CVE-2023-4863 - https://nvd.nist.gov/vuln/detail/CVE-2023-4863 - https://www.techtarget.com/searchsecurity/news/366551978/Browser-companies-patch-critical-zero-day-vulnerability --- **Updated** There is another related security vulnerability. > There's another related CVE ([CVE-2023-5217](https://nvd.nist.gov/vuln/detail/CVE-2023-5217)) that is fixed in Chromium 117.0.5938.132. This one is triggered by WebCodecs API encoder usage, so a workaround for older versions is to disable the WebCodecs API (`--disable-blink-features=WebCodecs`). As per https://magpcss.org/ceforum/viewtopic.php?f=6&t=19551#p54150

Metadata

Created: 2023-09-21T17:11:42Z
Modified: 2023-10-02T20:17:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-j646-gj5p-p45g/GHSA-j646-gj5p-p45g.json
CWE IDs: []
Alternative ID: N/A
Finding: F111
Auto approve: 1