Fluid Attacks Database

Description

CefSharp affected by heap buffer overflow in WebP Google is aware that an exploit for CVE-2023-4863 exists in the wild.

Description

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

References

https://www.cve.org/CVERecord?id=CVE-2023-4863

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

https://www.techtarget.com/searchsecurity/news/366551978/Browser-companies-patch-critical-zero-day-vulnerability

Updated

There is another related security vulnerability.

There's another related CVE (CVE-2023-5217) that is fixed in Chromium 117.0.5938.132. This one is triggered by WebCodecs API encoder usage, so a workaround for older versions is to disable the WebCodecs API (--disable-blink-features=WebCodecs).

As per https://magpcss.org/ceforum/viewtopic.php?f=6&t=19551#p54150

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	cefsharp.common	>=0 <116.0.230	116.0.230
nuget	cefsharp.common.netcore	>=0 <116.0.230	116.0.230

Aliases

1. GHSA-j646-gj5p-p45g2. GCVE-GHSA-j646-gj5p-p45g

References

1. https://github.com/cefsharp/CefSharp/security/advisories/GHSA-j646-gj5p-p45g2. https://github.com/cefsharp/CefSharp/commit/f2890ba66170afb0bf742839febe4d20449f758c3. https://github.com/cefsharp/CefSharp/releases/tag/v116.0.230

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.