GHSA-pv36-h7jh-qm62

Source

https://github.com/advisories/GHSA-pv36-h7jh-qm62

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-pv36-h7jh-qm62/GHSA-pv36-h7jh-qm62.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pv36-h7jh-qm62

Aliases

Published

2020-10-27T19:47:38Z

Modified

2024-08-07T19:29:57.655551Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Heap buffer overflow in CefSharp

Details

Impact

A memory corruption bug(Heap overflow) in the FreeType font rendering library.

This can be exploited by attackers to execute arbitrary code by using specially crafted fonts with embedded PNG images .

As per https://www.secpod.com/blog/chrome-zero-day-under-active-exploitation-patch-now/

Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.

Patches

Upgrade to 85.3.130 or higher

References

https://www.secpod.com/blog/chrome-zero-day-under-active-exploitation-patch-now/
https://www.zdnet.com/article/google-releases-chrome-security-update-to-patch-actively-exploited-zero-day/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
https://magpcss.org/ceforum/viewtopic.php?f=10&t=17942

To review the CEF/Chromium patch see https://bitbucket.org/chromiumembedded/cef/commits/cd6cbe008b127990036945fb75e7c2c1594ab10d

References

Affected packages

NuGet / CefSharp.Common

Package

Name: CefSharp.Common; View open source insights on deps.dev
Purl: pkg:nuget/CefSharp.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

85.3.130

Affected versions

31.*

31.0.0-pre1

33.*

33.0.0

33.0.2

33.1.0-pre01

37.*

37.0.0-pre01

37.0.0-pre02

37.0.0

37.0.1

37.0.2

37.0.3

39.*

39.0.0-pre01

39.0.0-pre02

39.0.0-pre03

39.0.0

39.0.1

39.0.2

41.*

41.0.0-pre01

41.0.0

41.0.1

43.*

43.0.0-pre01

43.0.0-pre02

43.0.0

43.0.1

45.*

45.0.0-pre01

45.0.0

47.*

47.0.0-pre01

47.0.0

47.0.1

47.0.2

47.0.3

47.0.4

49.*

49.0.0-pre01

49.0.0-pre02

49.0.0

49.0.1

51.*

51.0.0-pre01

51.0.0-pre02

51.0.0

53.*

53.0.0-pre01

53.0.0

53.0.1

55.*

55.0.0-pre01

55.0.0

57.*

57.0.0-pre01

57.0.0

62.*

62.0.0-pre01

62.0.0-proprietary-codecs

62.0.0-proprietary-codecs2

63.*

63.0.0-pre01

63.0.0-pre02

63.0.0-pre03

63.0.0

63.0.1

63.0.2

63.0.3

65.*

65.0.0-pre01

65.0.0-pre02

65.0.0

65.0.1

67.*

67.0.0-pre01

67.0.0

69.*

69.0.0-pre01

69.0.0

71.*

71.0.0-pre01

71.0.0

71.0.1

71.0.2

73.*

73.1.120-pre01

73.1.130

75.*

75.1.140-pre01

75.1.141

75.1.142

75.1.143

79.*

79.1.310-pre

79.1.350

79.1.360

81.*

81.3.20-pre

81.3.100

83.*

83.3.120-pre

83.4.20

84.*

84.3.10-pre

84.4.10

85.*

85.3.120-pre

85.3.121-pre

85.3.121

NuGet / CefSharp.Wpf

Package

Name: CefSharp.Wpf; View open source insights on deps.dev
Purl: pkg:nuget/CefSharp.Wpf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

85.3.130

Affected versions

1.*

1.25.2-perlun0

1.25.3

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8

3.*

3.29.0-pre0

31.*

31.0.0-pre1

33.*

33.0.0

33.0.2

33.1.0-pre01

37.*

37.0.0-pre01

37.0.0-pre02

37.0.0

37.0.1

37.0.3

39.*

39.0.0-pre01

39.0.0-pre02

39.0.0-pre03

39.0.0

39.0.1

39.0.2

41.*

41.0.0-pre01

41.0.0

41.0.1

43.*

43.0.0-pre01

43.0.0-pre02

43.0.0

43.0.1

45.*

45.0.0-pre01

45.0.0

47.*

47.0.0-pre01

47.0.0

47.0.1

47.0.2

47.0.3

47.0.4

49.*

49.0.0-pre01

49.0.0-pre02

49.0.0

49.0.1

51.*

51.0.0-pre01

51.0.0-pre02

51.0.0

53.*

53.0.0-pre01

53.0.0

53.0.1

55.*

55.0.0-pre01

55.0.0

57.*

57.0.0-pre01

57.0.0

62.*

62.0.0-pre01

62.0.0-proprietary-codecs

62.0.0-proprietary-codecs2

63.*

63.0.0-pre01

63.0.0-pre02

63.0.0-pre03

63.0.0

63.0.1

63.0.2

63.0.3

65.*

65.0.0-pre01

65.0.0-pre02

65.0.0

65.0.1

67.*

67.0.0-pre01

67.0.0

69.*

69.0.0-pre01

69.0.0

71.*

71.0.0-pre01

71.0.0

71.0.1

71.0.2

73.*

73.1.120-pre01

73.1.130

75.*

75.1.140-pre01

75.1.141

75.1.142

75.1.143

79.*

79.1.310-pre

79.1.350

79.1.360

81.*

81.3.20-pre

81.3.100

83.*

83.3.120-pre

83.4.20

84.*

84.3.10-pre

84.4.10

85.*

85.3.120-pre

85.3.121-pre

85.3.121

NuGet / CefSharp.WinForms

Package

Name: CefSharp.WinForms; View open source insights on deps.dev
Purl: pkg:nuget/CefSharp.WinForms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

85.3.130

Affected versions

1.*

1.25.3

33.*

33.0.0

33.0.2

33.1.0-pre01

37.*

37.0.0-pre01

37.0.0-pre02

37.0.0

37.0.1

37.0.3

39.*

39.0.0-pre01

39.0.0-pre02

39.0.0-pre03

39.0.0

39.0.1

39.0.2

41.*

41.0.0-pre01

41.0.0

41.0.1

43.*

43.0.0-pre01

43.0.0-pre02

43.0.0

43.0.1

45.*

45.0.0-pre01

45.0.0

47.*

47.0.0-pre01

47.0.0

47.0.1

47.0.2

47.0.3

47.0.4

49.*

49.0.0-pre01

49.0.0-pre02

49.0.0

49.0.1

51.*

51.0.0-pre01

51.0.0-pre02

51.0.0

53.*

53.0.0-pre01

53.0.0

53.0.1

55.*

55.0.0-pre01

55.0.0

57.*

57.0.0-pre01

57.0.0

62.*

62.0.0-pre01

62.0.0-proprietary-codecs

62.0.0-proprietary-codecs2

63.*

63.0.0-pre01

63.0.0-pre02

63.0.0-pre03

63.0.0

63.0.1

63.0.2

63.0.3

65.*

65.0.0-pre01

65.0.0-pre02

65.0.0

65.0.1

67.*

67.0.0-pre01

67.0.0

69.*

69.0.0-pre01

69.0.0

71.*

71.0.0-pre01

71.0.0

71.0.1

71.0.2

73.*

73.1.120-pre01

73.1.130

75.*

75.1.140-pre01

75.1.141

75.1.142

75.1.143

79.*

79.1.310-pre

79.1.350

79.1.360

81.*

81.3.20-pre

81.3.100

83.*

83.3.120-pre

83.4.20

84.*

84.3.10-pre

84.4.10

85.*

85.3.120-pre

85.3.121-pre

85.3.121

NuGet / CefSharp.Wpf.HwndHost

Package

Name: CefSharp.Wpf.HwndHost; View open source insights on deps.dev
Purl: pkg:nuget/CefSharp.Wpf.HwndHost

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

85.3.130

Affected versions

83.*

83.4.20-pre

84.*

84.4.10

85.*

85.3.121