Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001

From: Carlos Alberto Lopez Perez <clopez igalia com>
To: webkit-gtk lists webkit org, webkit-wpe lists webkit org
Cc: security webkit org, distributor-list gnome org, oss-security lists openwall com, bugtraq securityfocus com
Subject: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
Date: Mon, 31 Jan 2022 18:49:31 +0000

On 21/01/2022 16:53, Carlos Alberto Lopez Perez wrote:

CVE-2022-XXXXX
    Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    Credit to Martin Bajanik from fingerprintjs.com.
    Impact: A malicious website may exfiltrate data cross-origin.
    Description: A cross-origin issue existed with the IndexedDB. This
    was addressed with improved checking of security origins. 
    Notes: There is a public PoC demonstrating this issue at
    https://safarileaks.com so this issue may have been actively
    exploited. We still don't know the CVE number that will be assigned
    to this issue. We will update this advisory once we know it.


The data for the above unknown CVE number is now updated with the info below:

CVE-2022-22594
    Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    Credit to Martin Bajanik of fingerprintjs.com.
    Impact: A website may be able to track sensitive user information.
    Description: A cross-origin issue in the IndexDB API was addressed
    with improved input validation. Notes: There is a public PoC
    demonstrating this issue at safarileaks.com so it may have been
    actively exploited.

References:
- WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
  - From: Carlos Alberto Lopez Perez

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]