CVE-2023-1999 - OpenCVE

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Webmproject	Libwebp

Configuration 1 [-]

cpe:2.3:a:webmproject:libwebp:*:*:*:*:*:*:*:*

References

Link	Resource
https://chromium.googlesource.com/webm/libwebp	Product
https://security.gentoo.org/glsa/202309-05

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2023-06-20T11:28:52.547Z

Updated: 2023-06-20T11:28:52.547Z

Reserved: 2023-04-12T09:40:34.560Z

Link: CVE-2023-1999

JSON object: View

NVD Information

Status : Modified

Published: 2023-06-20T12:15:09.600

Modified: 2023-09-17T09:15:12.183

Link: CVE-2023-1999

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-1999", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-04-12T09:40:34.560Z", "datePublished": "2023-06-20T11:28:52.547Z", "dateUpdated": "2023-06-20T11:28:52.547Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://chromium.googlesource.com/webm/libwebp", "defaultStatus": "unaffected", "packageName": "libwebp", "product": "libwebp", "repo": "https://chromium.googlesource.com/", "vendor": "Chromium", "versions": [{"lessThan": "1.3.1", "status": "affected", "version": "0.4.2", "versionType": "custom"}, {"lessThan": "1.3.0-8-ga486d800", "status": "affected", "version": "0.4.2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There exists a use after free/double free in libwebp. An attacker can use the <span style=\"background-color: rgb(255, 255, 255);\">ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. </span><br>"}], "value": "There exists a use after free/double free in libwebp. An attacker can use the\u00a0ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.\u00a0\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-06-20T11:28:52.547Z"}, "references": [{"url": "https://chromium.googlesource.com/webm/libwebp"}, {"url": "https://security.gentoo.org/glsa/202309-05"}], "source": {"discovery": "EXTERNAL"}, "title": "Use after free in libwebp", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webmproject:libwebp:*:*:*:*:*:*:*:*", "matchCriteriaId": "17956DAA-EA1F-40A8-8B19-EFBFDBC36DCA", "versionEndExcluding": "1.3.1", "versionStartIncluding": "0.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There exists a use after free/double free in libwebp. An attacker can use the\u00a0ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.\u00a0\n"}, {"lang": "es", "value": "Existe un Use After Free/Double Free en libwebp. Un atacante puede usar la funci\u00f3n ApplyFiltersAndEncode() y hacer un bucle para liberar best.bw y asignar best = puntero trial. El segundo bucle devolver\u00e1 0 debido a un error de memoria insuficiente en el codificador VP8, el puntero sigue asignado a trial y el AddressSanitizer intentar\u00e1 un doble free."}], "id": "CVE-2023-1999", "lastModified": "2023-09-17T09:15:12.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2023-06-20T12:15:09.600", "references": [{"source": "cve-coordination@google.com", "tags": ["Product"], "url": "https://chromium.googlesource.com/webm/libwebp"}, {"source": "cve-coordination@google.com", "url": "https://security.gentoo.org/glsa/202309-05"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}