WebP Codec's heap buffer overflow vulnerability (CVE-2023-4863)

Hi Team,
Has anyone discovered that WebP Codec’s heap buffer overflow vulnerability (CVE-2023-4863) in the Ansible version?

Hi @Santheerdas , that CVE-2023-4863 seems to be affecting browsers.

The Ansible projects are not affected by this.

2 Likes

It does not only affect browsers, but every program that includes/uses libwebp (more info). Ansible itself does not use this library directly. The only way Ansible could in theory be affected is that a) this library is used by Python itself, b) you installed some other Python library that contains a compiled version of libwebp, or c) you are using an Ansible collection that includes binary content that includes the code from libwebp. A potential Python library using libwebp could be Pillow (it does use libwebp). So if you installed Pillow for whatever reason (I’m not aware of any Ansible content using it), you might want to look at that one.

In any case, Ansible directly should not be affected, but you want to look at the Python libraries you installed and watch out for updates for these.

2 Likes