CVE-2024-23280: Buffer Overflow
Published Mar 5, 2024
·Updated
A maliciously crafted webpage may be able to fingerprint the user. WebKit Bugzilla: 266703
Credit
Pwn2car, James Lee@@Windowsrcer, Johan Carlsson (joaxcar), an anonymous researcher, Georg Felber, Marco Squarcina, CVE-2024-23235, Xinru Chi(Pangu Lab), CVE-2024-23225, koocola, ali yabuz, Kirin@@Pwnrin, Meysam Firouzi@@R00tkitsmm(Trend Micro Zero Day Initiative), @@08Tc3wBB(Jamf), CVE-2024-23283, Mickey Jin@@patch1t, CVE-2023-48795, CVE-2023-51384, CVE-2023-51385, Pedro Tôrres@@t0rr3sp3dr0, Bohdan Stasiuk@@Bohdan_Stasiuk, Harsh Tyagi, Wojciech Regula(SecuRing), CVE-2024-23296, Lyra Rebane (rebane2001), Matej Rabzelj, CVE-2024-23238, Yiğit Can YILMAZ@@yilmazcanyigit, luckyu@@uuulucky, K宝(Fudan University), LFY@@secsys(Fudan University), Lewis Hardy, Bistrit Dahal, CVE-2024-23241, CVE-2024-23242, Joshua Jewett@@JoshJewett33, Matthew Loewen, Deutsche Telekom Security GmbH sponsored by Bundesamt für Sicherheit in der Informationstechnik, m4yfly with TianGong Team(Legendsec at Qi'anxin Group), Guilherme Rambo(Best Buddy Apps), Csaba Fitzl@@theevilbit(OffSec), CVE-2024-23205, CVE-2022-48554, Junsung Lee(Trend Micro Zero Day Initiative), Zhenjiang Zhao(pangu team), Qianxin(CrowdStrike Counter Adversary Operations), (CrowdStrike Counter Adversary Operations), Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), Dohyun Lee@@l33d0hyun, Lyutoon, Mr.R, Murray Mike, Marc Newlin(SkySafe), Stephan Casas, Brian McNulty, CVE-2024-23291, scj643, CVE-2024-23220, Om Kothawade, Cristian Dinca(Computer Science), Romania, anbu1024(SecANT)
Affected Software
22 affected componentsFixes available
ubuntu/webkit2gtk<2.44.0-0ubuntu0.22.04.1
2.44.0-0ubuntu0.22.04.1
ubuntu/webkit2gtk<2.44.0-0ubuntu0.23.10.1
2.44.0-0ubuntu0.23.10.1
ubuntu/webkit2gtk<2.44.0
2.44.0
debian/webkit2gtk<=2.36.4-1~deb10u1, <=2.38.6-0+deb10u1, <=2.42.2-1~deb11u1, <=2.42.2-1~deb12u1
2.44.1-1~deb11u12.44.1-1~deb12u12.44.1-1
debian/wpewebkit<=2.38.6-1~deb11u1, <=2.38.6-1
2.44.1-1
Apple macOS Sonoma<14.4
14.4
Apple tvOS<17.4
17.4
Apple WatchOS<10.4
10.4
Apple Safari<17.4
17.4
Apple Safari<17.4
Apple Ipad Os<17.4
Apple iPhone OS<17.4
Apple macOS>=14.0<14.4
Apple tvOS<17.4
Apple WatchOS<10.4
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Fedoraproject Fedora=40
WebKitGTK WebKitGTK<2.44.0
wpewebkit WPE WebKit<2.44.0
Apple iOS<17.4
17.4
Apple iPadOS<17.4
17.4
Event History
Mar 5, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Weakness
Mar 7, 2024
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Mar 8, 2024
CVE Published
via Ubuntu·12:00 AM
CVE Published
via MITRE·01:36 AM
Data Sourced
via MITRE·01:36 AM
DescriptionWeakness
Data Sourced
via NVD·02:15 AM
Description
Data Sourced
via NVD·02:15 AM
SeverityWeaknessAffected Software
Mar 19, 2024
Data Sourced
via Red Hat·12:47 PM
DescriptionSeverityAffected Software
May 1, 2024
Data Sourced
via Launchpad·06:02 PM
Description
Frequently Asked Questions
1
What is the severity of CVE-2024-23280?
CVE-2024-23280 has been classified as a high severity vulnerability due to its potential to allow fingerprinting of users through maliciously crafted webpages.
2
How do I fix CVE-2024-23280?
To fix CVE-2024-23280, update to the latest versions of affected products, including Safari 17.4, macOS Sonoma 14.4, iOS 17.4, and iPadOS 17.4.
3
Which software is affected by CVE-2024-23280?
CVE-2024-23280 affects multiple software, including Safari, macOS, iOS, iPadOS, watchOS, and packages like webkit2gtk and wpewebkit on various Linux distributions.
4
What type of issue is addressed by CVE-2024-23280?
CVE-2024-23280 addresses an injection issue with improved validation to prevent malicious exploitation.
5
Is there a workaround for CVE-2024-23280?
There are no documented workarounds for CVE-2024-23280; the best course of action is to apply the provided updates immediately.