[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
From:       Carlos Alberto Lopez Perez <clopez () igalia ! com>
Date:       2022-01-31 18:49:31
Message-ID: c20a5ac6-ec02-88ea-f6d4-713c93373904 () igalia ! com
[Download RAW message or body]

On 21/01/2022 16:53, Carlos Alberto Lopez Perez wrote:
> CVE-2022-XXXXX
>     Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
>     Credit to Martin Bajanik from fingerprintjs.com.
>     Impact: A malicious website may exfiltrate data cross-origin.
>     Description: A cross-origin issue existed with the IndexedDB. This
>     was addressed with improved checking of security origins. 
>     Notes: There is a public PoC demonstrating this issue at
>     https://safarileaks.com so this issue may have been actively
>     exploited. We still don't know the CVE number that will be assigned
>     to this issue. We will update this advisory once we know it.

The data for the above unknown CVE number is now updated with the info below:

CVE-2022-22594
    Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    Credit to Martin Bajanik of fingerprintjs.com.
    Impact: A website may be able to track sensitive user information.
    Description: A cross-origin issue in the IndexDB API was addressed
    with improved input validation. Notes: There is a public PoC
    demonstrating this issue at safarileaks.com so it may have been
    actively exploited.

[prev in list] [next in list] [prev in thread] [next in thread]