Lucene search

HistoryNov 07, 2023 - 12:00 a.m.

RHEL 9 : webkit2gtk3 (RHSA-2023:6535)

2023-11-0700:00:00

www.tenable.com

rhel 9

webkit2gtk3

multiple vulnerabilities

arbitrary code execution

sensitive user information tracking

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.005

Percentile

75.7%

JSON

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6535 advisory.

webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)
webkitgtk: Visiting a website that frames malicious content may lead to UI spoofing. (CVE-2022-32919)
webkitgtk: A website may able to track visited websites in private browsing (CVE-2022-32933)
webkitgtk: Visiting a malicious website may lead to address bar spoofing (CVE-2022-46705)
webkitgtk: Visiting a malicious website may lead to address bar spoofing. (CVE-2022-46725)
webkitgtk: Same Origin Policy bypass via crafted web content (CVE-2023-27932)
webkitgtk: Website may be able to track sensitive user information (CVE-2023-27954)
webkitgtk: use after free vulnerability (CVE-2023-28198)
webkitgtk: content security policy blacklist failure (CVE-2023-32370)
webkitgtk: arbitrary code execution (CVE-2023-32393, CVE-2023-38594, CVE-2023-38595, CVE-2023-38597, CVE-2023-38600, CVE-2023-38611)
webkitgtk: disclose sensitive information (CVE-2023-38133)
webkitgtk: bypass Same Origin Policy (CVE-2023-38572)
webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-38592, CVE-2023-42833)
webkitgtk: track sensitive user information (CVE-2023-38599)
webkitgtk: processing web content may lead to arbitrary code execution (CVE-2023-39434)
webkitgtk: arbitrary javascript code execution (CVE-2023-40397)
webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code (CVE-2023-40451)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2023:6535. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(185146);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/28");

  script_cve_id(
    "CVE-2022-32885",
    "CVE-2022-32919",
    "CVE-2022-32933",
    "CVE-2022-46705",
    "CVE-2022-46725",
    "CVE-2023-27932",
    "CVE-2023-27954",
    "CVE-2023-28198",
    "CVE-2023-32370",
    "CVE-2023-32393",
    "CVE-2023-38133",
    "CVE-2023-38572",
    "CVE-2023-38592",
    "CVE-2023-38594",
    "CVE-2023-38595",
    "CVE-2023-38597",
    "CVE-2023-38599",
    "CVE-2023-38600",
    "CVE-2023-38611",
    "CVE-2023-39434",
    "CVE-2023-40397",
    "CVE-2023-40451",
    "CVE-2023-42833"
  );
  script_xref(name:"RHSA", value:"2023:6535");

  script_name(english:"RHEL 9 : webkit2gtk3 (RHSA-2023:6535)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for webkit2gtk3.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2023:6535 advisory.

  - webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)

  - webkitgtk: Visiting a website that frames malicious content may lead to UI spoofing. (CVE-2022-32919)

  - webkitgtk: A website may able to track visited websites in private browsing (CVE-2022-32933)

  - webkitgtk: Visiting a malicious website may lead to address bar spoofing (CVE-2022-46705)

  - webkitgtk: Visiting a malicious website may lead to address bar spoofing. (CVE-2022-46725)

  - webkitgtk: Same Origin Policy bypass via crafted web content (CVE-2023-27932)

  - webkitgtk: Website may be able to track sensitive user information (CVE-2023-27954)

  - webkitgtk: use after free vulnerability (CVE-2023-28198)

  - webkitgtk: content security policy blacklist failure (CVE-2023-32370)

  - webkitgtk: arbitrary code execution (CVE-2023-32393, CVE-2023-38594, CVE-2023-38595, CVE-2023-38597,
    CVE-2023-38600, CVE-2023-38611)

  - webkitgtk: disclose sensitive information (CVE-2023-38133)

  - webkitgtk: bypass Same Origin Policy (CVE-2023-38572)

  - webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-38592, CVE-2023-42833)

  - webkitgtk: track sensitive user information (CVE-2023-38599)

  - webkitgtk: processing web content may lead to arbitrary code execution (CVE-2023-39434)

  - webkitgtk: arbitrary javascript code execution (CVE-2023-40397)

  - webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code (CVE-2023-40451)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?619e5320");
  # https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6535.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?746b9790");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2023:6535");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2176270");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2224608");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231015");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231017");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231018");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231019");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231020");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231021");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231022");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231028");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2231043");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2236842");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2236843");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2236844");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2238943");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2238944");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2238945");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2241405");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2241409");
  script_set_attribute(attribute:"solution", value:
"Update the RHEL webkit2gtk3 package based on the guidance in RHSA-2023:6535.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-42833");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-40397");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(1021, 20, 96, 119, 200, 416, 841, 942);
  script_set_attribute(attribute:"vendor_severity", value:"Important");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/11/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:webkit2gtk3-jsc-devel");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'repo_relative_urls': [
      'content/dist/rhel9/9.1/aarch64/appstream/debug',
      'content/dist/rhel9/9.1/aarch64/appstream/os',
      'content/dist/rhel9/9.1/aarch64/appstream/source/SRPMS',
      'content/dist/rhel9/9.1/ppc64le/appstream/debug',
      'content/dist/rhel9/9.1/ppc64le/appstream/os',
      'content/dist/rhel9/9.1/ppc64le/appstream/source/SRPMS',
      'content/dist/rhel9/9.1/s390x/appstream/debug',
      'content/dist/rhel9/9.1/s390x/appstream/os',
      'content/dist/rhel9/9.1/s390x/appstream/source/SRPMS',
      'content/dist/rhel9/9.1/x86_64/appstream/debug',
      'content/dist/rhel9/9.1/x86_64/appstream/os',
      'content/dist/rhel9/9.1/x86_64/appstream/source/SRPMS',
      'content/dist/rhel9/9.2/aarch64/appstream/debug',
      'content/dist/rhel9/9.2/aarch64/appstream/os',
      'content/dist/rhel9/9.2/aarch64/appstream/source/SRPMS',
      'content/dist/rhel9/9.2/ppc64le/appstream/debug',
      'content/dist/rhel9/9.2/ppc64le/appstream/os',
      'content/dist/rhel9/9.2/ppc64le/appstream/source/SRPMS',
      'content/dist/rhel9/9.2/s390x/appstream/debug',
      'content/dist/rhel9/9.2/s390x/appstream/os',
      'content/dist/rhel9/9.2/s390x/appstream/source/SRPMS',
      'content/dist/rhel9/9.2/x86_64/appstream/debug',
      'content/dist/rhel9/9.2/x86_64/appstream/os',
      'content/dist/rhel9/9.2/x86_64/appstream/source/SRPMS',
      'content/dist/rhel9/9.3/aarch64/appstream/debug',
      'content/dist/rhel9/9.3/aarch64/appstream/os',
      'content/dist/rhel9/9.3/aarch64/appstream/source/SRPMS',
      'content/dist/rhel9/9.3/ppc64le/appstream/debug',
      'content/dist/rhel9/9.3/ppc64le/appstream/os',
      'content/dist/rhel9/9.3/ppc64le/appstream/source/SRPMS',
      'content/dist/rhel9/9.3/s390x/appstream/debug',
      'content/dist/rhel9/9.3/s390x/appstream/os',
      'content/dist/rhel9/9.3/s390x/appstream/source/SRPMS',
      'content/dist/rhel9/9.3/x86_64/appstream/debug',
      'content/dist/rhel9/9.3/x86_64/appstream/os',
      'content/dist/rhel9/9.3/x86_64/appstream/source/SRPMS',
      'content/dist/rhel9/9.4/aarch64/appstream/debug',
      'content/dist/rhel9/9.4/aarch64/appstream/os',
      'content/dist/rhel9/9.4/aarch64/appstream/source/SRPMS',
      'content/dist/rhel9/9.4/ppc64le/appstream/debug',
      'content/dist/rhel9/9.4/ppc64le/appstream/os',
      'content/dist/rhel9/9.4/ppc64le/appstream/source/SRPMS',
      'content/dist/rhel9/9.4/s390x/appstream/debug',
      'content/dist/rhel9/9.4/s390x/appstream/os',
      'content/dist/rhel9/9.4/s390x/appstream/source/SRPMS',
      'content/dist/rhel9/9.4/x86_64/appstream/debug',
      'content/dist/rhel9/9.4/x86_64/appstream/os',
      'content/dist/rhel9/9.4/x86_64/appstream/source/SRPMS',
      'content/dist/rhel9/9/aarch64/appstream/debug',
      'content/dist/rhel9/9/aarch64/appstream/os',
      'content/dist/rhel9/9/aarch64/appstream/source/SRPMS',
      'content/dist/rhel9/9/ppc64le/appstream/debug',
      'content/dist/rhel9/9/ppc64le/appstream/os',
      'content/dist/rhel9/9/ppc64le/appstream/source/SRPMS',
      'content/dist/rhel9/9/s390x/appstream/debug',
      'content/dist/rhel9/9/s390x/appstream/os',
      'content/dist/rhel9/9/s390x/appstream/source/SRPMS',
      'content/dist/rhel9/9/x86_64/appstream/debug',
      'content/dist/rhel9/9/x86_64/appstream/os',
      'content/dist/rhel9/9/x86_64/appstream/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'webkit2gtk3-2.40.5-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'webkit2gtk3-devel-2.40.5-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'webkit2gtk3-jsc-2.40.5-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'webkit2gtk3-jsc-devel-2.40.5-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
  foreach var pkg ( constraint_array['pkgs'] ) {
    var reference = NULL;
    var _release = NULL;
    var sp = NULL;
    var _cpu = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var epoch = NULL;
    var allowmaj = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        _release &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
        rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'webkit2gtk3 / webkit2gtk3-devel / webkit2gtk3-jsc / etc');
}

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32885

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32919

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32933

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46705

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46725

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27932

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27954

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28198

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32370

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32393

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38133

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38572

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38592

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38594

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38595

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38597

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38599

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38600

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38611

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39434

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40397

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40451

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42833

www.nessus.org/u?619e5320

www.nessus.org/u?746b9790

access.redhat.com/errata/RHSA-2023:6535

access.redhat.com/security/updates/classification/#important

bugzilla.redhat.com/show_bug.cgi?id=2176270

bugzilla.redhat.com/show_bug.cgi?id=2224608

bugzilla.redhat.com/show_bug.cgi?id=2231015

bugzilla.redhat.com/show_bug.cgi?id=2231017

bugzilla.redhat.com/show_bug.cgi?id=2231018

bugzilla.redhat.com/show_bug.cgi?id=2231019

bugzilla.redhat.com/show_bug.cgi?id=2231020

bugzilla.redhat.com/show_bug.cgi?id=2231021

bugzilla.redhat.com/show_bug.cgi?id=2231022

bugzilla.redhat.com/show_bug.cgi?id=2231028

bugzilla.redhat.com/show_bug.cgi?id=2231043

bugzilla.redhat.com/show_bug.cgi?id=2236842

bugzilla.redhat.com/show_bug.cgi?id=2236843

bugzilla.redhat.com/show_bug.cgi?id=2236844

bugzilla.redhat.com/show_bug.cgi?id=2238943

bugzilla.redhat.com/show_bug.cgi?id=2238944

bugzilla.redhat.com/show_bug.cgi?id=2238945

bugzilla.redhat.com/show_bug.cgi?id=2241405

bugzilla.redhat.com/show_bug.cgi?id=2241409

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.005

Percentile

75.7%

JSON

Related for REDHAT-RHSA-2023-6535.NASL