1. Home
  2. Vulnerabilities
  3. CVE-2023-5217

CVE-2023-5217

CVSS v3.1 8.8 (High)
88% Progress
EPSS 30.61 % (97th)
30.61% Progress
Affected Products 15
Advisories 62
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Weaknesses
CWE-787
Out-of-bounds Write
CVE Status
PUBLISHED
CNA
Chrome
Published Date
2023-09-28 16:15:10
(11 months ago)
Updated Date
2024-02-15 02:00:01
(7 months ago)
Google Chromium libvpx Heap Buffer Overflow Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)
Description
Google Chromium libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using libvpx, including but not limited to Google Chrome.
Required Action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known to be Used in Ransomware Campaigns
Unknown
Notes
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html; https://nvd.nist.gov/vuln/detail/CVE-2023-5217
Vendor
Google
Product
Chromium libvpx
In CISA Catalog from
2023-10-02
(11 months ago)
Due Date
2023-10-23
(10 months ago)

Affected Products

Apple

Debian

Fedoraproject

Google

Microsoft

Mozilla

Webmproject

Configuration #1

AND
    CPE23 From Up To
OR  
  Google Chrome prior 117.0.5938.132 version cpe:2.3:a:google:chrome < 117.0.5938.132
OR  
  Running on/with
  Mozilla Firefox prior 118.0.1 version cpe:2.3:a:mozilla:firefox < 118.0.1
OR  
  Running on/with
  Mozilla Firefox for Android prior 118.1 version cpe:2.3:a:mozilla:firefox::*:*:*:*:android < 118.1
OR  
  Running on/with
  Mozilla Firefox Esr prior 115.3.1 version cpe:2.3:a:mozilla:firefox_esr < 115.3.1
OR  
  Running on/with
  Mozilla Firefox Focus for Android prior 118.1 version cpe:2.3:a:mozilla:firefox_focus::*:*:*:*:android < 118.1
OR  
  Running on/with
  Webmproject Libvpx prior 1.13.1 version cpe:2.3:a:webmproject:libvpx < 1.13.1

Configuration #2

    CPE23 From Up To
  Microsoft Edge 116.0.1938.98 cpe:2.3:a:microsoft:edge:116.0.1938.98
  Microsoft Edge 117.0.2045.47 cpe:2.3:a:microsoft:edge:117.0.2045.47
  Microsoft Edge Chromium 116.0.5845.229 cpe:2.3:a:microsoft:edge_chromium:116.0.5845.229
  Microsoft Edge Chromium 117.0.5938.132 cpe:2.3:a:microsoft:edge_chromium:117.0.5938.132

Configuration #3

    CPE23 From Up To
  Mozilla Firefox prior 118.0.1 version cpe:2.3:a:mozilla:firefox < 118.0.1
  Mozilla Firefox for Android prior 118.1 version cpe:2.3:a:mozilla:firefox::*:*:*:*:android < 118.1
  Mozilla Firefox Esr prior 115.3.1 version cpe:2.3:a:mozilla:firefox_esr < 115.3.1
  Mozilla Firefox Focus for Android prior 118.1 version cpe:2.3:a:mozilla:firefox_focus::*:*:*:*:android < 118.1
  Mozilla Thunderbird prior 115.3.1 version cpe:2.3:a:mozilla:thunderbird < 115.3.1

Configuration #4

    CPE23 From Up To
  Fedoraproject Fedora 37 cpe:2.3:o:fedoraproject:fedora:37
  Fedoraproject Fedora 38 cpe:2.3:o:fedoraproject:fedora:38
  Fedoraproject Fedora 39 cpe:2.3:o:fedoraproject:fedora:39

Configuration #5

    CPE23 From Up To
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0
  Debian Linux 12.0 cpe:2.3:o:debian:debian_linux:12.0

Configuration #6

    CPE23 From Up To
  Apple Ipad Os from 17.0 version and prior 17.0.3 version cpe:2.3:o:apple:ipad_os >= 17.0 < 17.0.3
  Apple Ipad Os 16.7 cpe:2.3:o:apple:ipad_os:16.7
  Apple Iphone Os from 17.0 version and prior 17.0.3 version cpe:2.3:o:apple:iphone_os >= 17.0 < 17.0.3
  Apple Iphone Os 16.7 cpe:2.3:o:apple:iphone_os:16.7