CVE-2024-23206

webkitgtk: A maliciously crafted webpage may be able to fingerprint the user

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

An access issue was addressed with improved access restrictions. This issue is fixed in watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3. A maliciously crafted webpage may be able to fingerprint the user.

Se solucionó un problema de acceso mejorando las restricciones de acceso. Este problema se solucionó en watchOS 10.3, tvOS 17.3, iOS 17.3 y iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 y iPadOS 16.7.5, Safari 17.3. Una página web creada con fines malintencionados puede tomar huellas digitales del usuario.

A vulnerability was found in WebKitGTK. This flaw allows a remote attacker to bypass the security restriction by using a specially crafted malicious website to fingerprint the victim.

This update for webkit2gtk3 fixes the following issues. Fixed processing maliciously crafted web content that may have led to arbitrary code execution. Fixed fingerprint user via maliciously crafted webpages. Fixed processing web content that may have led to arbitrary code execution. Fixed processing web content that may have led to arbitrary code execution. Fixed denial-of-service or potentially disclose memory contents while processing maliciously crafted files. Fixed processing web content that may have led to arbitrary code execution.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-12 CVE Reserved
2024-01-23 CVE Published
2025-05-15 CVE Updated
2025-06-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (23)

URL	Tag	Source
http://seclists.org/fulldisclosure/2024/Jan/27	Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/33	Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/34	Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/36	Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/39	Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/40	Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/02/05/8
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/US43EQFC2IS66EA2CPAZFH2RQ6WD7PKF
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X2VJMEDT4GL42AQVHSYOT6DIVJDZWIV4
https://support.apple.com/kb/HT214055
https://support.apple.com/kb/HT214056
https://support.apple.com/kb/HT214059
https://support.apple.com/kb/HT214060
https://support.apple.com/kb/HT214061
https://support.apple.com/kb/HT214063

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://support.apple.com/en-us/HT214055	2024-06-12
https://support.apple.com/en-us/HT214056	2024-06-12
https://support.apple.com/en-us/HT214059	2024-06-12
https://support.apple.com/en-us/HT214060	2024-06-12
https://support.apple.com/en-us/HT214061	2024-06-12
https://support.apple.com/en-us/HT214063	2024-06-12
https://access.redhat.com/security/cve/CVE-2024-23206	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2269743	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"		Safari Search vendor "Apple" for product "Safari"				< 17.3 Search vendor "Apple" for product "Safari" and version " < 17.3"		-		Affected
Apple Search vendor "Apple"		Ipados Search vendor "Apple" for product "Ipados"				> 16.0 < 16.7.5 Search vendor "Apple" for product "Ipados" and version " > 16.0 < 16.7.5"		-		Affected
Apple Search vendor "Apple"		Ipados Search vendor "Apple" for product "Ipados"				> 17.0 < 17.3 Search vendor "Apple" for product "Ipados" and version " > 17.0 < 17.3"		-		Affected
Apple Search vendor "Apple"		Iphone Os Search vendor "Apple" for product "Iphone Os"				> 16.0 < 16.7.5 Search vendor "Apple" for product "Iphone Os" and version " > 16.0 < 16.7.5"		-		Affected
Apple Search vendor "Apple"		Iphone Os Search vendor "Apple" for product "Iphone Os"				> 17.0 < 17.3 Search vendor "Apple" for product "Iphone Os" and version " > 17.0 < 17.3"		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				< 14.3 Search vendor "Apple" for product "Macos" and version " < 14.3"		-		Affected
Apple Search vendor "Apple"		Tvos Search vendor "Apple" for product "Tvos"				< 17.3 Search vendor "Apple" for product "Tvos" and version " < 17.3"		-		Affected
Apple Search vendor "Apple"		Watchos Search vendor "Apple" for product "Watchos"				< 10.3 Search vendor "Apple" for product "Watchos" and version " < 10.3"		-		Affected