{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5217", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2023-09-27T01:52:05.679Z", "datePublished": "2023-09-28T15:23:18.340Z", "dateUpdated": "2024-08-02T07:52:08.351Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "117.0.5938.132", "status": "affected", "lessThan": "117.0.5938.132", "versionType": "custom"}]}, {"vendor": "Google", "product": "libvpx", "versions": [{"version": "1.13.1", "status": "affected", "lessThan": "1.13.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2023-09-28T17:20:53.866Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html"}, {"url": "https://crbug.com/1486441"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/28/5"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/28/6"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/1"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/7"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/9"}, {"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2023-5217"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241191"}, {"url": "https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/"}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/28/5"}, {"url": "https://pastebin.com/TdkC4pDv"}, {"url": "https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590"}, {"url": "https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282"}, {"url": "https://github.com/webmproject/libvpx/tags"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/11"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/12"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/14"}, {"url": "https://www.debian.org/security/2023/dsa-5510"}, {"url": "https://www.debian.org/security/2023/dsa-5509"}, {"url": "https://www.debian.org/security/2023/dsa-5508"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/1"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html"}, {"url": "https://twitter.com/maddiestone/status/1707163313711497266"}, {"url": "https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/"}, {"url": "https://github.com/webmproject/libvpx/releases/tag/v1.13.1"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/3"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/4"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/5"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/01/2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/01/1"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/01/5"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/02/6"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/11"}, {"url": "https://security.gentoo.org/glsa/202310-04"}, {"url": "https://support.apple.com/kb/HT213961"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/"}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/12"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html"}, {"url": "https://support.apple.com/kb/HT213972"}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/16"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/"}, {"url": "https://security.gentoo.org/glsa/202401-34"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.351Z"}, "title": "CVE Program Container", "references": [{"url": "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html", "tags": ["x_transferred"]}, {"url": "https://crbug.com/1486441", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/28/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/28/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/2", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/7", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/9", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/", "tags": ["x_transferred"]}, {"url": "https://security-tracker.debian.org/tracker/CVE-2023-5217", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241191", "tags": ["x_transferred"]}, {"url": "https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/28/5", "tags": ["x_transferred"]}, {"url": "https://pastebin.com/TdkC4pDv", "tags": ["x_transferred"]}, {"url": "https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590", "tags": ["x_transferred"]}, {"url": "https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282", "tags": ["x_transferred"]}, {"url": "https://github.com/webmproject/libvpx/tags", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/12", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/29/14", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5510", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5509", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5508", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/1", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html", "tags": ["x_transferred"]}, {"url": "https://twitter.com/maddiestone/status/1707163313711497266", "tags": ["x_transferred"]}, {"url": "https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/", "tags": ["x_transferred"]}, {"url": "https://github.com/webmproject/libvpx/releases/tag/v1.13.1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/2", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/4", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/30/5", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/01/2", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/01/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/01/5", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/02/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/11", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202310-04", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT213961", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/12", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT213972", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/16", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202401-34", "tags": ["x_transferred"]}]}]}}

{}

{"cisaActionDue": "2023-10-23", "cisaExploitAdd": "2023-10-02", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Google Chromium libvpx Heap Buffer Overflow Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F840D02-4766-4644-8FD6-637E945E88FB", "versionEndExcluding": "117.0.5938.132", "vulnerable": false}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8EE027E-A8D8-4038-B0C5-3F9ABA3079B6", "versionEndExcluding": "118.0.1", "vulnerable": false}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*", "matchCriteriaId": "C0246068-275F-4D13-93B9-44AD91D2EFFB", "versionEndExcluding": "118.1", "vulnerable": false}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AAF4C02-0ED7-4AEF-BB14-A0A48DAC3B2E", "versionEndExcluding": "115.3.1", "vulnerable": false}, {"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:android:*:*", "matchCriteriaId": "54F53CD4-5766-401B-8333-1B8937112AD0", "versionEndExcluding": "118.1", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:webmproject:libvpx:*:*:*:*:*:*:*:*", "matchCriteriaId": "385F58CC-4AA0-4C41-9394-C9481586689E", "versionEndExcluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge:116.0.1938.98:*:*:*:*:*:*:*", "matchCriteriaId": "83749E8D-D4EC-4C5E-B031-8DD4C5C3AA72", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:edge:117.0.2045.47:*:*:*:*:*:*:*", "matchCriteriaId": "39F5AB10-A20E-4B12-863D-9335A6344130", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:edge_chromium:116.0.5845.229:*:*:*:*:*:*:*", "matchCriteriaId": "494B17DA-B40E-4B79-925D-2F439C7A4BCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:edge_chromium:117.0.5938.132:*:*:*:*:*:*:*", "matchCriteriaId": "0A1735C0-78BF-4B9C-9EC6-64471C609046", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8EE027E-A8D8-4038-B0C5-3F9ABA3079B6", "versionEndExcluding": "118.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*", "matchCriteriaId": "C0246068-275F-4D13-93B9-44AD91D2EFFB", "versionEndExcluding": "118.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AAF4C02-0ED7-4AEF-BB14-A0A48DAC3B2E", "versionEndExcluding": "115.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:android:*:*", "matchCriteriaId": "54F53CD4-5766-401B-8333-1B8937112AD0", "versionEndExcluding": "118.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "C287FD41-1668-4BA8-9BF5-7C56420F6F38", "versionEndExcluding": "115.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipad_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD22C5B0-7113-4F66-AF85-46F9DD0DC6B3", "versionEndExcluding": "17.0.3", "versionStartIncluding": "17.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:ipad_os:16.7:*:*:*:*:*:*:*", "matchCriteriaId": "7DE4E0B0-9E6E-4735-8EFC-81D1F1724FCF", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1D28032-F9E6-45E7-98B6-7CE2351C4C99", "versionEndExcluding": "17.0.3", "versionStartIncluding": "17.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:16.7:*:*:*:*:*:*:*", "matchCriteriaId": "EF582B55-1D2F-4F53-9F3D-DB52F211B600", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "El desbordamiento del b\u00fafer en la codificaci\u00f3n vp8 en libvpx en Google Chrome anterior a 117.0.5938.132 y libvpx 1.13.1 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "id": "CVE-2023-5217", "lastModified": "2024-02-15T02:00:01.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-28T16:15:10.980", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Oct/12"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Oct/16"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/28/5"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/28/6"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/1"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/11"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/12"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/14"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/2"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/7"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/29/9"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/30/1"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/30/2"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/30/3"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/30/4"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/30/5"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/01/1"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/01/2"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/01/5"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/02/6"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/03/11"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241191"}, {"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://crbug.com/1486441"}, {"source": "chrome-cve-admin@google.com", "tags": ["Patch"], "url": "https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590"}, {"source": "chrome-cve-admin@google.com", "tags": ["Patch"], "url": "https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282"}, {"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://github.com/webmproject/libvpx/releases/tag/v1.13.1"}, {"source": "chrome-cve-admin@google.com", "tags": ["Product"], "url": "https://github.com/webmproject/libvpx/tags"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Not Applicable"], "url": "https://pastebin.com/TdkC4pDv"}, {"source": "chrome-cve-admin@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2023-5217"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-04"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202401-34"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213961"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213972"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://twitter.com/maddiestone/status/1707163313711497266"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5508"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5509"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5510"}, {"source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/"}, {"source": "chrome-cve-admin@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2023/09/28/5"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5475", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:115.3.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5477", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:115.3.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5428", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:115.3.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5433", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:115.3.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5537", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libvpx-0:1.7.0-10.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5438", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:115.3.1-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5440", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:115.3.1-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5535", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "libvpx-0:1.7.0-8.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5426", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:115.3.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5432", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:115.3.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5534", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "libvpx-0:1.7.0-8.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5426", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "firefox-0:115.3.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5432", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "thunderbird-0:115.3.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5534", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "libvpx-0:1.7.0-8.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5426", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "firefox-0:115.3.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5432", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "thunderbird-0:115.3.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5534", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "libvpx-0:1.7.0-8.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5429", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:115.3.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5437", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:115.3.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5536", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "libvpx-0:1.7.0-10.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5429", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:115.3.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5437", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:115.3.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5536", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "libvpx-0:1.7.0-10.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5429", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:115.3.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5437", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:115.3.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5536", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "libvpx-0:1.7.0-10.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5430", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "thunderbird-0:115.3.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5436", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "firefox-0:115.3.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5538", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "libvpx-0:1.7.0-10.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5434", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:115.3.1-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5435", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:115.3.1-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5539", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libvpx-0:1.9.0-7.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5427", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "firefox-0:115.3.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5439", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "thunderbird-0:115.3.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5540", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "libvpx-0:1.9.0-7.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-09T00:00:00Z"}], "bugzilla": {"description": "libvpx: Heap buffer overflow in vp8 encoding in libvpx", "id": "2241191", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241191"}, "csaw": true, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-5217", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libvpx", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libvpx", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird:flatpak/thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-09-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5217\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5217\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-44/\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "This security issue has been classified as having an Important security impact. Desktop users are at a high risk of exploitation of this flaw with very minimal interaction. It may compromise the confidentiality, integrity, or availability of resources.\nCustomers using this application, which does server-side video codecs by linking to the libvpx library, are also potentially impacted by this flaw and are advised to update to the fixed versions of the package.", "threat_severity": "Important", "upstream_fix": "chromium-browser 117.0.5938.132"}