SUSE update for webkit2gtk3
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2024-23213 CVE-2024-23271 CVE-2024-27808 CVE-2024-27820 CVE-2024-27833 CVE-2024-27834 CVE-2024-27838 CVE-2024-27851 CVE-2024-40866 CVE-2024-44187 CVE-2024-4558 CVE-2024-23222 CVE-2024-23206 |
| CWE-ID | CWE-119 CWE-254 CWE-190 CWE-287 CWE-200 CWE-451 CWE-693 CWE-416 CWE-843 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #12 is being exploited in the wild. |
| Vulnerable software Subscribe |
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 SP5 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 12 Operating systems & Components / Operating system webkit2gtk-4_0-injected-bundles-debuginfo Operating systems & Components / Operating system package or component libwebkit2gtk3-lang Operating systems & Components / Operating system package or component libwebkit2gtk-4_0-37-debuginfo Operating systems & Components / Operating system package or component webkit2gtk-4_0-injected-bundles Operating systems & Components / Operating system package or component typelib-1_0-WebKit2-4_0 Operating systems & Components / Operating system package or component libjavascriptcoregtk-4_0-18-debuginfo Operating systems & Components / Operating system package or component typelib-1_0-WebKit2WebExtension-4_0 Operating systems & Components / Operating system package or component libjavascriptcoregtk-4_0-18 Operating systems & Components / Operating system package or component webkit2gtk3-debugsource Operating systems & Components / Operating system package or component typelib-1_0-JavaScriptCore-4_0 Operating systems & Components / Operating system package or component libwebkit2gtk-4_0-37 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU85666
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-23213
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU89030
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-23271
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a logic error in WebKit, which can lead to unexpected cross-origin behavior. A remote attacker can trick the victim to visit a specially crafted website and bypass implemented security restrictions.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU95303
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27808
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU95305
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27820
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit Web Inspector. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU95316
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27833
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in WebKit. A remote attacker can trick the victim to visit a specially crafted data website, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper authentication
EUVDB-ID: #VU89419
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27834
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in within the webKit component. A remote attacker can bypass pointer authentication.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU95300
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27838
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in WebKit. A remote attacker can fingerprint website users.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU95301
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27851
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Spoofing attack
EUVDB-ID: #VU97349
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-40866
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in WebKit. A remote attacker can spoof the browser's address bar.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Protection Mechanism Failure
EUVDB-ID: #VU97350
Risk: Low
CVSSv3.1: 3.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-44187
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling "iframe" elements in WebKit. A remote attacker can exfiltrate data cross-origin.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU89232
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4558
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the ANGLE component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Type confusion
EUVDB-ID: #VU85668
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2024-23222
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing HTML content. A remote attacker can trick the victim to open a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Update the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
13) Buffer overflow
EUVDB-ID: #VU85665
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-23206
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended Security: 12-SP5
SUSE Linux Enterprise Server 12 SP5 LTSS: 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.46.0-4.15.1
libwebkit2gtk3-lang: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.46.0-4.15.1
webkit2gtk-4_0-injected-bundles: before 2.46.0-4.15.1
typelib-1_0-WebKit2-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.46.0-4.15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.46.0-4.15.1
libjavascriptcoregtk-4_0-18: before 2.46.0-4.15.1
webkit2gtk3-debugsource: before 2.46.0-4.15.1
typelib-1_0-JavaScriptCore-4_0: before 2.46.0-4.15.1
libwebkit2gtk-4_0-37: before 2.46.0-4.15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended_security:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss:12-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2024/suse-su-20243751-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
