First published: Fri Apr 21 2023(Updated: )
The WebKitGTK flaw <a href="https://access.redhat.com/security/cve/CVE-2023-28205">CVE-2023-28205</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution" href="show_bug.cgi?id=2185724">bug 2185724</a>) was addressed in Red Hat Enterprise Linux 8 via erratum RHSA-2023:1919 and in Red Hat Enterprise Linux 9 via erratum RHSA-2023:1918, released on Apr 20, 2023: <a href="https://access.redhat.com/errata/RHSA-2023:1919">https://access.redhat.com/errata/RHSA-2023:1919</a> <a href="https://access.redhat.com/errata/RHSA-2023:1918">https://access.redhat.com/errata/RHSA-2023:1918</a> However, the fix for this issue was not included in the WebKitGTK updates released as part of Red Hat Enterprise Linux 8.8 GA erratum (RHSA-2023:2834) and Red Hat Enterprise Linux 9.2 GA erratum (RHSA-2023:2256), causing a security regression of previously released fix. A new CVE-ID <a href="https://access.redhat.com/security/cve/CVE-2023-2203">CVE-2023-2203</a> was assigned for this security regression. Note that this issue and CVE-ID is specific to the WebKitGTK packages as shipped with Red Hat Enterprise Linux and is not applicable to any upstream WebKitGTK version or WebKitGTK packages of any other vendor that are not directly based on Red Hat Enterprise Linux packages. For more information about the original flaw, refer to the CVE page or bug linked above.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Webkitgtk Webkit2gtk3 | =2.38.5-1.el8 | |
Webkitgtk Webkit2gtk3 | =2.38.5-1.el9 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Enterprise Linux Eus | =8.8 | |
Redhat Enterprise Linux Eus | =9.2 | |
Redhat Enterprise Linux Server Aus | =8.8 | |
Redhat Enterprise Linux Server Aus | =9.2 | |
Redhat Enterprise Linux Server Tus | =8.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-2203 is a use-after-free vulnerability found in the WebKitGTK package that allows attackers to execute arbitrary code or cause a denial of service.
Versions 2.38.5-1.el8 and 2.38.5-1.el9 of WebKitGTK package, Redhat Enterprise Linux 8.0 and 9.0, and Redhat Enterprise Linux Eus 8.8 and 9.2 are affected by CVE-2023-2203.
CVE-2023-2203 has a severity level of 8.8 (high).
Apply the necessary updates provided by Red Hat through the official Red Hat Security Advisory RHSA-2023:1919.
CVE-2023-2203 is associated with CWE-416 and CWE-20.