Updated 13 January 2025 (OS 11 fix version)
First published 5 December 2024
CVSS 3.1: 9.2 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A security vulnerability has been found in Webkit2GTK, a web content rendering library used in IGEL OS. This affects the following IGEL products:
-
IGEL OS 12
-
IGEL OS 11
Details
It has been discovered that processing maliciously crafted web content in Webkit2GTK may lead to arbitrary code execution (CVE-2024-44308). In addition, malicious content can also be used for a cross-site scripting (XSS) attack (CVE-2024-44309).
These issues are being actively exploited in the wild. IGEL rates them as critical for IGEL OS 12, as Webkit is used to handle Single-Sign-On (SSO), and as high for OS 11.
Update Instructions
-
OS 12: Update to the IGEL OS 12 base system app version 12.5.2 when it is available.
-
OS 11: Update to IGEL OS 11.10.250 (planned for 25 February 2025)