Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Required

Privileges Required

None

Attack Vector

Network

1

CVE-2023-4863

Disclosure Date: September 12, 2023 •

CVE-2023-4863 CVSS v3 Base Score: 8.8

Exploited in the Wild

Reported by inokii
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

debian,
fedoraproject,
google,
microsoft,
mozilla,
webmproject

Products

chrome,
debian linux 10.0,
debian linux 11.0,
debian linux 12.0,
edge,
fedora 37,
fedora 38,
fedora 39,
firefox,
firefox esr,
libwebp,
thunderbird

Exploited in the Wild

Reported by:

inokii indicated sources as

Vendor Advisory (https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/13/cisa-adds-three-known-vulnerabilities-catalog)

Reported: September 20, 2023 3:33pm UTC (7 months ago)

References

Canonical

CVE-2023-4863 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

NotEnough (https://github.com/caoweiquan322/NotEnough)

BAD-WEBP-CVE-2023-4863 (https://github.com/talbeerysec/BAD-WEBP-CVE-2023-4863)

Miscellaneous

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

https://crbug.com/1479274

https://en.bandisoft.com/honeyview/history/

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863

https://security-tracker.debian.org/tracker/CVE-2023-4863

https://bugzilla.suse.com/show_bug.cgi?id=1215231

https://news.ycombinator.com/item?id=37478403

https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/

https://www.debian.org/security/2023/dsa-5496

https://www.debian.org/security/2023/dsa-5497

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/

https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/

https://www.debian.org/security/2023/dsa-5498

https://security.gentoo.org/glsa/202309-05

https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/

https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/

https://github.com/webmproject/libwebp/releases/tag/v1.3.2

https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/

http://www.openwall.com/lists/oss-security/2023/09/21/4

https://blog.isosceles.com/the-webp-0day/

http://www.openwall.com/lists/oss-security/2023/09/22/1

http://www.openwall.com/lists/oss-security/2023/09/22/3

http://www.openwall.com/lists/oss-security/2023/09/22/4

http://www.openwall.com/lists/oss-security/2023/09/22/5

http://www.openwall.com/lists/oss-security/2023/09/22/8

http://www.openwall.com/lists/oss-security/2023/09/22/7

http://www.openwall.com/lists/oss-security/2023/09/22/6

http://www.openwall.com/lists/oss-security/2023/09/26/1

http://www.openwall.com/lists/oss-security/2023/09/26/7

http://www.openwall.com/lists/oss-security/2023/09/28/1

http://www.openwall.com/lists/oss-security/2023/09/28/2

http://www.openwall.com/lists/oss-security/2023/09/28/4

https://security.netapp.com/advisory/ntap-20230929-0011/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/

https://sethmlarson.dev/security-developer-in-residence-weekly-report-16

https://www.bentley.com/advisories/be-2023-0001/

https://security.gentoo.org/glsa/202401-10

Rapid7

Technical Analysis