Vulnerability DatabaseCVE-2023-5217
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-5217
September 28, 2023
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected Packages
electron (NPM):
Affected version(s) >=26.0.0 <26.2.4
Fix Suggestion:
Update to version 26.2.4
electron (NPM):
Affected version(s) >=27.0.0-alpha.1 <27.0.0-beta.8
Fix Suggestion:
Update to version 27.0.0-beta.8
electron (NPM):
Affected version(s) >=24.0.0 <24.8.5
Fix Suggestion:
Update to version 24.8.5
electron (NPM):
Affected version(s) >=25.0.0 <25.8.4
Fix Suggestion:
Update to version 25.8.4
electron (NPM):
Affected version(s) >=0.1.0 <22.3.25
Fix Suggestion:
Update to version 22.3.25
Related ResourcesĀ (75)
https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html
https://github.com/webmproject/libvpx/tags
https://github.com/electron/electron/releases/tag/v22.3.25
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV
http://www.openwall.com/lists/oss-security/2023/10/01/5
https://github.com/electron/electron/pull/40022
https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html
https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
https://github.com/electron/electron/pull/40023
https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
https://security-tracker.debian.org/tracker/CVE-2023-5217
http://seclists.org/fulldisclosure/2023/Oct/12
https://github.com/electron/electron/pull/40026
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/
http://www.openwall.com/lists/oss-security/2023/09/30/5
http://www.openwall.com/lists/oss-security/2023/09/29/11
https://github.com/electron/electron/releases/tag/v26.2.4
https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217
https://security.gentoo.org/glsa/202310-04
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB
https://github.com/electron/electron
http://www.openwall.com/lists/oss-security/2023/09/29/1
http://www.openwall.com/lists/oss-security/2023/09/29/7
http://www.openwall.com/lists/oss-security/2023/09/29/14
http://www.openwall.com/lists/oss-security/2023/10/03/11
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/
https://github.com/electron/electron/pull/40024
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4
https://bugzilla.redhat.com/show_bug.cgi?id=2241191
https://pastebin.com/TdkC4pDv
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/
http://www.openwall.com/lists/oss-security/2023/09/28/5
https://github.com/electron/electron/releases/tag/v27.0.0-beta.8
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/
https://github.com/electron/electron/releases/tag/v24.8.5
http://seclists.org/fulldisclosure/2023/Oct/16
http://www.openwall.com/lists/oss-security/2023/10/01/2
https://support.apple.com/kb/HT213972
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63
https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html
http://www.openwall.com/lists/oss-security/2023/10/01/1
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5217
http://www.openwall.com/lists/oss-security/2023/09/30/3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I
http://www.openwall.com/lists/oss-security/2023/09/30/1
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
https://github.com/electron/electron/releases/tag/v25.8.4
https://github.com/webmproject/libvpx/releases/tag/v1.13.1
https://support.apple.com/kb/HT213961
https://www.openwall.com/lists/oss-security/2023/09/28/5
https://twitter.com/maddiestone/status/1707163313711497266
https://www.debian.org/security/2023/dsa-5510
http://www.openwall.com/lists/oss-security/2023/09/30/4
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44
http://www.openwall.com/lists/oss-security/2023/09/30/2
https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/
https://github.com/electron/electron/pull/40025
https://security.gentoo.org/glsa/202401-34
http://www.openwall.com/lists/oss-security/2023/09/29/9
http://www.openwall.com/lists/oss-security/2023/09/28/6
http://www.openwall.com/lists/oss-security/2023/09/29/12
https://www.debian.org/security/2023/dsa-5509
https://nvd.nist.gov/vuln/detail/CVE-2023-5217
http://www.openwall.com/lists/oss-security/2023/09/29/2
http://www.openwall.com/lists/oss-security/2023/10/02/6
https://crbug.com/1486441
https://www.debian.org/security/2023/dsa-5508
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Exploit Maturity
HIGH
Weakness Type (CWE)
Out-of-bounds Write
CWE-787
EPSS
Base Score:
3.52