CVE-2020-9948

Published: Oct 16, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A type confusion issue was addressed with improved memory handling. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution.

Affected (3)

Products: Apple: Safari · Webkit: Webkitgtk+ · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apple Safari	Before 14.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Webkit Webkitgtk+	Up to 2.30.3

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References (10)

http://seclists.org/fulldisclosure/2020/Nov/18

Source: product-security@apple.com

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2020/11/23/3

Source: product-security@apple.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202012-10

Source: product-security@apple.com

Third Party Advisory

https://support.apple.com/HT211845

Source: product-security@apple.com

Release NotesVendor Advisory

https://www.debian.org/security/2020/dsa-4797

Source: product-security@apple.com

Third Party Advisory

http://seclists.org/fulldisclosure/2020/Nov/18