Anolis OS update for webkit2gtk3
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 24 |
| CVE-ID | CVE-2022-32885 CVE-2023-27932 CVE-2023-27954 CVE-2023-28198 CVE-2023-32370 CVE-2023-32393 CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594 CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600 CVE-2023-38611 CVE-2023-39434 CVE-2023-40397 CVE-2023-40451 CVE-2023-42917 CVE-2022-32919 CVE-2022-32933 CVE-2022-46705 CVE-2022-46725 CVE-2023-42833 |
| CWE-ID | CWE-119 CWE-254 CWE-200 CWE-416 CWE-94 CWE-451 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #19 is being exploited in the wild. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system webkit2gtk3-jsc-devel Operating systems & Components / Operating system package or component webkit2gtk3-jsc Operating systems & Components / Operating system package or component webkit2gtk3-devel Operating systems & Components / Operating system package or component webkit2gtk3 Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 24 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU73806
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-32885
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU74085
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27932
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass Same Origin Policy restrictions.
The vulnerability exists due to improper state management. A remote attacker can trick the victim to visit a specially crafted website and bypass Same Origin Policy restrictions.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU74086
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27954
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can track sensitive user information.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU78988
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-28198
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security features bypass
EUVDB-ID: #VU80630
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32370
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in WebKit, as Content Security Policy may fail to block domains with wildcards. A remote attacker can bypass implemented CSP restrictions.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU77845
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-32393
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU78589
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-38133
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in WebKit Process Model. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security features bypass
EUVDB-ID: #VU78586
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-38572
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in WebKit when handling Same Origin Policy. A remote attacker can bypass Same Origin Policy restrictions.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU78777
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-38592
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU78587
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-38594
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU78602
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-38595
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU78588
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-38597
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit Process Model. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Information disclosure
EUVDB-ID: #VU78775
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-38599
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a logic issue in WebKit, related to user's privacy. A remote attacker can sensitive user information.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Buffer overflow
EUVDB-ID: #VU78603
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-38600
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Buffer overflow
EUVDB-ID: #VU78604
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-38611
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Use-after-free
EUVDB-ID: #VU81192
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-39434
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to open a specially crafted website and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Code Injection
EUVDB-ID: #VU80603
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-40397
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary JavaScript code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Security features bypass
EUVDB-ID: #VU81178
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-40451
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when enforcing iframe sandboxing in WebKit. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Buffer overflow
EUVDB-ID: #VU83606
Risk: Critical
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2023-42917
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
20) Spoofing attack
EUVDB-ID: #VU82732
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32919
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in WebKit. A remote attacker can spoof page content via an iframe content.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Information disclosure
EUVDB-ID: #VU82725
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32933
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in WebKit. A remote attacker can track users who visited the website in Safari private browsing mode.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Spoofing attack
EUVDB-ID: #VU70514
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-46705
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of URL in WebKit. A remote attacker can spoof the browser's address bar.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Spoofing attack
EUVDB-ID: #VU78994
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-46725
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of URL in WebKit. A remote attacker can trick the victim to visit a specially crafted web page and spoof the address bar.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Buffer overflow
EUVDB-ID: #VU84766
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-42833
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
webkit2gtk3-jsc-devel: before 2.40.5-1.0.1
webkit2gtk3-jsc: before 2.40.5-1.0.1
webkit2gtk3-devel: before 2.40.5-1.0.1
webkit2gtk3: before 2.40.5-1.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-jsc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:webkit2gtk3:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0147
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
