Author: Natalie_Manusov
Publication Date: 10/4/2023 17:14
FirstSpirit Hotfix-Builds 5.2.230817 (Non-Jakarta) and 5.2.231010 (Jakarta) contain a further security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP):
- JxBrowser update to the version 7.35.1 (is used in the integrated preview in the SiteArchitect)
The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.
A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.
FirstSpirit versions since 2019.11 are affected.
How can the vulnerability be exploited?
- An editor adds a manipulated WebP image to a project.
- An editor opens an (external) website containing a manipulated WebP in the integrated preview.
What do you have to do?
- (Server) Update to 5.2.230817 / 5.2.231010
- (Client) Update the local browsers
Mitigation without FS Update
- (Server) Prevent uploading of WebP (set appropriate restrictions in the project) or
- (Server) Configure WebP as media type file
- (Client) Disable the integrated preview in SA (JxBrowser)
- (Client) Update the local browsers
New FirstSpirit versions are available for download.
You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.
Kommentare
3 Kommentare
How can I prevent uploading of WebP (set appropriate restrictions in the project) ?
I'm just aware of the setting to configure the allowed media types.
Is there also a configuration option for forbidden file types?
FirstSpirit allows for configuring the allowed media types, but not the forbidden ones. However, you can set the media type for WebP to be handled as plain files so there will be no image processing.
Thank you for the clarification. So theoretically a solution, but practically useless.
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.