CVE-2024-23254: Buffer Overflow
Published Mar 5, 2024
·Updated
A malicious website may exfiltrate audio data cross-origin WebKit Bugzilla: 263795
Credit
Pwn2car, James Lee@@Windowsrcer, Johan Carlsson (joaxcar), an anonymous researcher, Georg Felber, Marco Squarcina, CVE-2024-23235, Xinru Chi(Pangu Lab), CVE-2024-23225, koocola, ali yabuz, Kirin@@Pwnrin, Meysam Firouzi@@R00tkitsmm(Trend Micro Zero Day Initiative), @@08Tc3wBB(Jamf), CVE-2024-23283, Mickey Jin@@patch1t, CVE-2023-48795, CVE-2023-51384, CVE-2023-51385, Pedro Tôrres@@t0rr3sp3dr0, Bohdan Stasiuk@@Bohdan_Stasiuk, Harsh Tyagi, Wojciech Regula(SecuRing), CVE-2024-23296, Lyra Rebane (rebane2001), Matej Rabzelj, CVE-2024-23238, Yiğit Can YILMAZ@@yilmazcanyigit, luckyu@@uuulucky, K宝(Fudan University), LFY@@secsys(Fudan University), Lewis Hardy, Bistrit Dahal, CVE-2024-23241, CVE-2024-23242, Joshua Jewett@@JoshJewett33, Matthew Loewen, Deutsche Telekom Security GmbH sponsored by Bundesamt für Sicherheit in der Informationstechnik, m4yfly with TianGong Team(Legendsec at Qi'anxin Group), Guilherme Rambo(Best Buddy Apps), Csaba Fitzl@@theevilbit(OffSec), CVE-2024-23205, CVE-2022-48554, Junsung Lee(Trend Micro Zero Day Initiative), Zhenjiang Zhao(pangu team), Qianxin(CrowdStrike Counter Adversary Operations), (CrowdStrike Counter Adversary Operations), Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), Dohyun Lee@@l33d0hyun, Lyutoon, Mr.R, Murray Mike, Marc Newlin(SkySafe), Patrick Reardon, CVE-2024-23220, Stephan Casas, Brian McNulty, CVE-2024-23291, scj643, Om Kothawade, Cristian Dinca(Computer Science), Romania, anbu1024(SecANT)
Affected Software
22 affected componentsFixes available
ubuntu/webkit2gtk<2.44.0-0ubuntu0.22.04.1
2.44.0-0ubuntu0.22.04.1
ubuntu/webkit2gtk<2.44.0-0ubuntu0.23.10.1
2.44.0-0ubuntu0.23.10.1
ubuntu/webkit2gtk<2.44.0
2.44.0
debian/webkit2gtk<=2.36.4-1~deb10u1, <=2.38.6-0+deb10u1, <=2.42.2-1~deb11u1, <=2.42.2-1~deb12u1
2.44.1-1~deb11u12.44.1-1~deb12u12.44.1-1
debian/wpewebkit<=2.38.6-1~deb11u1, <=2.38.6-1
2.44.1-1
Apple macOS Sonoma<14.4
14.4
Apple tvOS<17.4
17.4
Apple WatchOS<10.4
10.4
Apple visionOS<1.1
1.1
Apple Safari<17.4
17.4
Apple Safari<17.4
Apple Ipad Os<17.4
Apple iPhone OS<17.4
Apple macOS<14.4
Apple tvOS<17.4
Apple visionOS<1.1
Apple WatchOS<10.4
Fedoraproject Fedora=40
WebKitGTK WebKitGTK<2.44.0
wpewebkit WPE WebKit<2.44.0
Apple iOS<17.4
17.4
Apple iPadOS<17.4
17.4
Event History
Mar 5, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Weakness
Mar 7, 2024
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Mar 8, 2024
CVE Published
via Ubuntu·12:00 AM
CVE Published
via MITRE·01:36 AM
Data Sourced
via MITRE·01:36 AM
DescriptionWeakness
Data Sourced
via NVD·02:15 AM
Description
Data Sourced
via NVD·02:15 AM
SeverityAffected Software
Mar 19, 2024
Data Sourced
via Red Hat·12:47 PM
DescriptionSeverityAffected Software
Apr 15, 2024
Data Sourced
via Launchpad·05:59 PM
Description
Frequently Asked Questions
1
What is the severity of CVE-2024-23254?
CVE-2024-23254 is considered a medium severity vulnerability due to its potential to exfiltrate audio data from a malicious website.
2
How do I fix CVE-2024-23254?
To fix CVE-2024-23254, update your Apple devices to tvOS 17.4, macOS Sonoma 14.4, iOS 17.4, iPadOS 17.4, watchOS 10.4, visionOS 1.1, or Safari 17.4.
3
Which software versions are affected by CVE-2024-23254?
CVE-2024-23254 affects multiple versions including earlier versions of Safari, macOS, iOS, watchOS, tvOS, and webkit2gtk prior to their respective fixed versions.
4
What kind of data can be exfiltrated due to CVE-2024-23254?
CVE-2024-23254 allows a malicious website to exfiltrate audio data across origins.
5
Is CVE-2024-23254 a critical vulnerability?
CVE-2024-23254 is not classified as critical but poses significant risks due to the potential data exfiltration capabilities.