Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2023-5217

Published: 28/09/2023 Updated: 15/02/2024
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Webmproject

Vulnerability Summary

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome before 117.0.5938.132 and libvpx 1.13.1 allowed a remote malicious user to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

webmproject libvpx

microsoft edge 116.0.1938.98

microsoft edge 117.0.2045.47

microsoft edge chromium 116.0.5845.229

microsoft edge chromium 117.0.5938.132

mozilla firefox focus

mozilla firefox esr

mozilla firefox

mozilla thunderbird

fedoraproject fedora 37

fedoraproject fedora 38

fedoraproject fedora 39

debian debian linux 10.0

debian debian linux 11.0

debian debian linux 12.0

apple iphone os

apple ipad os

apple ipad os 16.7

apple iphone os 16.7

Vendor Advisories

Debian CVElist Bug Report Logs: libvpx: CVE-2023-5217
Debian Bug report logs - #1053182 libvpx: CVE-2023-5217 Package: src:libvpx; Maintainer for src:libvpx is Debian Multimedia Maintainers <debian-multimedia@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 28 Sep 2023 20:45:04 UTC Severity: grave Tags: security, upstream Found in ver ...
Debian Security Advisories: DSA-5509-1 firefox-esr -- security update
A buffer overflow in VP8 media stream processing has been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code For the oldstable distribution (bullseye), this problem has been fixed in version 11531esr-1~deb11u1 For the stable distribution (bookworm), this problem will be fixed via the libv ...
Debian Security Advisories: DSA-5508-1 chromium -- security update
Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure For the oldstable distribution (bullseye), these problems have been fixed in version 11705938132-1~deb11u1 For the stable distribution (bookworm), these problems have been fixed in version 117 ...
Debian Security Advisories: DSA-5510-1 libvpx -- security update
Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed For the oldstable distribution (bullseye), this problem has been fixed in version 190-1+deb11u1 For the stable distribu ...
Mozilla: Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0.
Mozilla Foundation Security Advisory 2023-44 Security Vulnerability fixed in Firefox 11801, Firefox ESR 11531, Firefox for Android 11810, and Firefox Focus for Android 11810 Announced September 28, 2023 Impact critical Products Firefox, Fi ...
Red Hat:
Description<!----> This CVE is under investigation by Red Hat Product Security ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a se ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat Product Security has rate ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterprise Linux 82 Tel ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a se ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security has rate ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security has rated ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 84 Advanced Mission Critical Update Support, Red Hat ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as h ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterprise Linux ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat Product Security has rated ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 81 Update Services for SAP SolutionsRed Hat Product Securit ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 84 Advanced Mission Critical Update Support, Red Hat Enterpris ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 81 Update Services for SAP SolutionsRed Hat Product Security ...
Red Hat: Important: libvpx security update
Synopsis Important: libvpx security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for libvpx is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterprise Linux 82 Telec ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as h ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as h ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 84 Advanced Mission Critical Update Support, Red Hat Enterpr ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 81 Update Services for SAP SolutionsRed Hat Product ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat Product Security ...
Red Hat: Important: firefox security update
Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a ...
Google Chrome: Stable Channel Update for Desktop
The Stable channel has been updated to 11705938132 for Windows, Mac and Linux, which will roll out over the coming days/weeks A full list of changes in this build is available in the logSecurity Fixes and RewardsNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix We will also retain re ...
Google Chrome: Long Term Support Channel Update for ChromeOS
LTS-114 is being updated in the LTS channel to&nbsp;11405735337 (Platform Version: 15437740)&nbsp;for most ChromeOS devices Want to know more about Long Term Support? Click&nbsp;hereThis update contains multiple Security fixes, including:1475798&nbsp;High&nbsp;CVE-2023-5187&nbsp;Use after free in Extensions1450784&nbsp;Medium&nbsp;CVE-2023-4 ...
Citrix Security Bulletins: Impact of Chromium vulnerabilities CVE-2023-4863 and CVE-2023-5217 on Cloud Software Group products
Cloud Software Group will continue to update this post as additional information becomes available ...
Apple: iOS 16.7.1 and iPadOS 16.7.1
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the&nbsp;Apple security releases page Apple security documents reference vulnerabilities by&nbsp;CVE-ID&nbsp;whe ...
Apple: iOS 17.0.3 and iPadOS 17.0.3
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the&nbsp;Apple security releases page Apple security documents reference vulnerabilities by&nbsp;CVE-ID&nbsp;whe ...
Check Point Security Alerts: Webmproject Libvpx Buffer Overflow (CVE-2023-5217)
Check Point Reference: CPAI-2023-1167 Date Published: 20 Nov 2023 Severity: High ...

Github Repositories

https://github.com/wrv/cve-2023-5217-poc

A PoC to trigger CVE-2023-5217 from the Browser WebCodecs or MediaRecorder interface.

CVE-2023-5217: libvpx VP8 Encoding Heap Overflow PoC CVE-2023-5217 is an in-the-wild exploited libvpx vulnerability that was found by Clément Lecigne of Google's Threat Analysis Group to be targeting Chrome This repo shows how to trigger CVE-2023-5217 in the browser using the WebCodecs and MediaRecorder APIs CVE-2023-5217 allows for a heap buffer overflow with a c

https://github.com/Jereanny14/jereanny14.github.io

jereanny14

jereanny14githubio Digital-security-in-company´s About this proyect is about the cybersecurity in company´s, how ciberatacks be a problem a how we can avoid them Just as the subtitle says, we will cover these topics, like hacking examples in Costa Rica, general problems for safe datas and the use about software or malware The objetives about this proyect is make

Recent Articles

Apple fixes two new iOS zero-days exploited in attacks on iPhones
BleepingComputer • Lawrence Abrams • 05 Mar 2024

Apple fixes two new iOS zero-days exploited in attacks on iPhones By Lawrence Abrams March 5, 2024 04:34 PM 0 Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel r...

Read more...
IT threat evolution in Q3 2023. Non-mobile statistics
Securelist • AMR • 01 Dec 2023

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, in Q3 2023: Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe. A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus components. Attempts to run malware for stealing money from online bank accounts were stopped on the com...

Read more...
Another security update, Apple? You're really keeping up with your tech rivals
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Zero day? More like every day, amirite?

Apple has demonstrated that it can more than hold its own among the tech giants, at least in terms of finding itself on the wrong end of zero-day vulnerabilities. iOS and iPadOS have again come under attack, and Apple has rushed out a fix to ward off miscreants. The latest issues are CVE-2023-42824 and CVE-2023-5217. The latter is a week old and refers to a heap buffer overflow in the VP8 compression format in libvpx. Apple noted that the overflow could result in arbitrary code execution and fix...

Read more...
CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Chrome’s second zero-day of the month puts fed security at 'significant risk'

The US's Cybersecurity and Infrastructure Security Agency (CISA) has added the latest actively exploited zero-day vulnerability affecting Google Chrome to its Known Exploited Vulnerabilities (KEV) Catalog. The bug, tracked as CVE-2023-5217, received a patch from Google last week and was assigned a severity rating of 8.8 on the CVSS v3 scale. With its addition to the KEV Catalog, CISA has effectively indicated that exploits for the vulnerability pose a "significant risk to the federal enterprise,...

Read more...
Google reveals zero-day exploits in enterprise tech surged 64% last year
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Crooks know where the big bucks are

Zero-day exploits targeting enterprise-specific software and appliances are now outpacing zero-day bugs overall, according to Google's threat hunting teams. In a report published today, Google's Threat Analysis Group (TAG) and Mandiant said they tracked 97 total zero-day vulnerabilities found and exploited by miscreants in 2023, which is considerably more than the year prior, with 62 vulnerabilities. Enterprise-specific technology zero-days, however, increased by 64 percent in 2023 compared to 2...

Read more...

References

CWE-787https://crbug.com/1486441https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.htmlhttp://www.openwall.com/lists/oss-security/2023/09/28/5http://www.openwall.com/lists/oss-security/2023/09/28/6http://www.openwall.com/lists/oss-security/2023/09/29/1http://www.openwall.com/lists/oss-security/2023/09/29/2http://www.openwall.com/lists/oss-security/2023/09/29/7http://www.openwall.com/lists/oss-security/2023/09/29/9https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/https://pastebin.com/TdkC4pDvhttps://github.com/webmproject/libvpx/tagshttps://security-tracker.debian.org/tracker/CVE-2023-5217https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282http://www.openwall.com/lists/oss-security/2023/09/29/11http://www.openwall.com/lists/oss-security/2023/09/29/12https://www.openwall.com/lists/oss-security/2023/09/28/5https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590https://bugzilla.redhat.com/show_bug.cgi?id=2241191https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/http://www.openwall.com/lists/oss-security/2023/09/29/14https://www.debian.org/security/2023/dsa-5510https://www.debian.org/security/2023/dsa-5508https://www.debian.org/security/2023/dsa-5509http://www.openwall.com/lists/oss-security/2023/09/30/1https://lists.debian.org/debian-lts-announce/2023/09/msg00038.htmlhttps://twitter.com/maddiestone/status/1707163313711497266https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/https://github.com/webmproject/libvpx/releases/tag/v1.13.1http://www.openwall.com/lists/oss-security/2023/09/30/2http://www.openwall.com/lists/oss-security/2023/09/30/3http://www.openwall.com/lists/oss-security/2023/09/30/4http://www.openwall.com/lists/oss-security/2023/09/30/5https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/http://www.openwall.com/lists/oss-security/2023/10/01/2http://www.openwall.com/lists/oss-security/2023/10/01/1http://www.openwall.com/lists/oss-security/2023/10/01/5https://lists.debian.org/debian-lts-announce/2023/10/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/http://www.openwall.com/lists/oss-security/2023/10/02/6http://www.openwall.com/lists/oss-security/2023/10/03/11https://security.gentoo.org/glsa/202310-04https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/http://seclists.org/fulldisclosure/2023/Oct/12https://lists.debian.org/debian-lts-announce/2023/10/msg00015.htmlhttp://seclists.org/fulldisclosure/2023/Oct/16https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/https://support.apple.com/kb/HT213961https://support.apple.com/kb/HT213972https://security.gentoo.org/glsa/202401-34https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182https://nvd.nist.govhttps://github.com/wrv/cve-2023-5217-pochttps://www.debian.org/security/2023/dsa-5509
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-21111CVE-2024-32884IDORCVE-2023-1000CVE-2024-33260CVE-2024-3682reflected XSSrace conditionCVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook