All Advisories / BE-2023-0001

BE-2023-0001

BE-2023-0001: Seequent LeapFrog WebP Heap-Based Buffer Overflow Vulnerability

Bentley ID: BE-2023-0001
CVE ID: CVE-2023-4863
Severity: 8
CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Publication date: 2023-10-27
Revision date: 2023-10-27

Summary
LeapFrog applications may be affected by a Heap-Based Buffer Overflow Vulnerability when opening maliciously crafted WebP files. Exploiting these vulnerabilities could lead to information disclosure or arbitrary code execution.

Details
Using an affected version of LeapFrog application to open a WebP file containing maliciously crafted data can force a heap-based buffer overflow in the libwebp library. Exploitation of this vulnerability within the parsing of WebP files could enable an attacker to perform an out of bounds memory write an may lead to executing code in the context of the current process.

Affected Versions

Applications Affected Versions Mitigated Versions
Seequent LeapFrog 2023.1.* and prior versions 2023.2 and greater

 

Recommended Mitigations
Seequent, The Bentley Subsurface Company, recommends updating to the latest versions of LeapFrog applications. As a general best practice, it is also recommended to only open WebP files coming from trusted sources

Acknowledgement

Revision History

Date Description
2023-10-27 First version of this advisory