<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Mon, 31 Jan 2022 18:49:31 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 21/01/2022 16:53, Carlos Alberto Lopez Perez wrote:
CVE-2022-XXXXX
Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
Credit to Martin Bajanik from fingerprintjs.com.
Impact: A malicious website may exfiltrate data cross-origin.
Description: A cross-origin issue existed with the IndexedDB. This
was addressed with improved checking of security origins.
Notes: There is a public PoC demonstrating this issue at
https://safarileaks.com so this issue may have been actively
exploited. We still don't know the CVE number that will be assigned
to this issue. We will update this advisory once we know it.
The data for the above unknown CVE number is now updated with the info below:
CVE-2022-22594
Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
Credit to Martin Bajanik of fingerprintjs.com.
Impact: A website may be able to track sensitive user information.
Description: A cross-origin issue in the IndexDB API was addressed
with improved input validation. Notes: There is a public PoC
demonstrating this issue at safarileaks.com so it may have been
actively exploited.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez (Jan 21)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 23)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 24)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 24)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 29)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Sam James (Jan 30)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez (Jan 31)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->