ISN 2024-23: Webkit2GTK Critical Vulnerability

Updated 13 January 2025 (OS 11 fix version)

First published 5 December 2024

CVSS 3.1: 9.2 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A security vulnerability has been found in Webkit2GTK, a web content rendering library used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12

• IGEL OS 11

Details

It has been discovered that processing maliciously crafted web content in Webkit2GTK may lead to arbitrary code execution (CVE-2024-44308). In addition, malicious content can also be used for a cross-site scripting (XSS) attack (CVE-2024-44309).

These issues are being actively exploited in the wild. IGEL rates them as critical for IGEL OS 12, as Webkit is used to handle Single-Sign-On (SSO), and as high for OS 11.

Update Instructions

• OS 12: Update to the IGEL OS 12 base system app version 12.5.2 when it is available.

• OS 11: Update to IGEL OS 11.10.250 (planned for 25 February 2025)

References

• WSA-2024-0007: https://webkitgtk.org/security/WSA-2024-0007.html

• CISA KEV: https://www.cisa.gov/news-events/alerts/2024/11/21/cisa-adds-three-known-exploited-vulnerabilities-catalog