Pharos Response to WebP Vulnerability

CVE-2023-4863 

• https://nvd.nist.gov/vuln/detail/CVE-2023-4863  

• https://www.cve.org/CVERecord?id=CVE-2023-4863  

 The vulnerability is rated as “Critical” because it allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. This impacts Chrome, Chromium browsers, and any applications built on them. 

At this time, the NVD has not yet scored this vulnerability, but it is expected to be high. 

This vulnerability also impacts Electron (which uses Chrome), a popular tool used to build cross platform applications. Specifically it impacts versions:

• >=22.0.0 < 22.3.24 

• >=24.0.0 < 24.8.3 

• >=25.0.0 < 25.8.1 

• >=26.0.0 < 26.2.1 

• >=27.0.0-beta.1 < 27.0.0-beta.2  

 A webpage providing an overview of Chrome and WebP impacts can be found here: https://security.snyk.io/vuln/SNYK-JS-ELECTRON-5892810  

Many organizations, including Pharos customers, are urgently investigating where this tool is used and how to update/repair those instances. 

Pharos Software and Electron/WebP

Pharos has reviewed all our software, 3rd party tools/libraries, and internal infrastructure. Pharos  does use Electron, but we DO NOT use any of the impacted versions. 

Pharos is continuing to monitor this situation.