oss-sec mailing list archives
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Mon, 31 Jan 2022 18:49:31 +0000
On 21/01/2022 16:53, Carlos Alberto Lopez Perez wrote:
CVE-2022-XXXXX Versions affected: WebKitGTK and WPE WebKit before 2.34.4. Credit to Martin Bajanik from fingerprintjs.com. Impact: A malicious website may exfiltrate data cross-origin. Description: A cross-origin issue existed with the IndexedDB. This was addressed with improved checking of security origins. Notes: There is a public PoC demonstrating this issue at https://safarileaks.com so this issue may have been actively exploited. We still don't know the CVE number that will be assigned to this issue. We will update this advisory once we know it.
The data for the above unknown CVE number is now updated with the info below: CVE-2022-22594 Versions affected: WebKitGTK and WPE WebKit before 2.34.4. Credit to Martin Bajanik of fingerprintjs.com. Impact: A website may be able to track sensitive user information. Description: A cross-origin issue in the IndexDB API was addressed with improved input validation. Notes: There is a public PoC demonstrating this issue at safarileaks.com so it may have been actively exploited.
Current thread:
- WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez (Jan 21)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 23)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 24)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 24)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Sam James (Jan 30)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 24)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 23)