Vulnerability description:
CVE-2023-4863 is a critical heap buffer overflow vulnerability in WebP, a raster graphics file format that replaces the JPEG, PNG, and GIF file formats.
Buffer overflows can cause crashes, infinite loops, and can be used to execute arbitrary code.
Impact of the vulnerability:
The vulnerability can be used for remote code execution and has been seen in wild exploits. webp image processing component is maintained and open-sourced by google and is widely referenced in mobile, PC, and server-side image processing scenarios. Most browsers (Chrome, Firefox, Breve, Tor Browser, etc.), many Linux distributions (Ubuntu, Debian, Gentoo, SUSE, etc.) .) , password managers (1Password, BitWarden, etc.) and other software (MS Teams, Slack, Telegram, Signal, Basecamp, Discord, GitHub Desktop, etc.).
Impact version:
libwebp <= 0.5 and < 1.3.2
chromium/chrome < 116.0.5845.187
Vulnerability verification:
https://github.com/mistymntncop/CVE-2023-4863
Vulnerability reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html?m=1
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/webp-codec-library-vulnerability-html
