CVE-2023-5217

dereko · September 28, 2023, 12:36pm

So I’m following the CVE from google that was CVE-2023-4863 regarding webp. It was assigned a new CVE to CVE-2023-5217. So with a change like this with there be a new CVE entry in a content update or just keep referencing the old CVE?

rrobertrice_ivm · September 29, 2023, 11:53am

SInce this is dealing with an entirely new library package, one would think that you would have to track it with the new CVE. But I would also like to know how this will be tracked.

kneser · October 3, 2023, 12:27pm

Hey both!

As rrobertrice_ivm pointed out, this is a new library vulnerability. So we’ve released content for CVE-2023-5217 for libvpx on the 28th of September, as long as you’re on the latest content version (or a version after this date) then you should have CVE-2023-5217 to reference within InsightVM.

CVE-2023-4863 has had some interesting events around the CVEs that were released, but in this case we track libvpx separate to libwebp; they’re considered different vulnerabilities, though they are both out of bounds write (CWE-787) weaknesses.

Hopefully that clears it up, but feel free to let me know if you’ve got follow up questions!

dereko · October 6, 2023, 7:36pm

That definitely helps and I did eventually see the content update in InsightVM.