BE-2023-0001: Seequent LeapFrog WebP Heap-Based Buffer Overflow Vulnerability
Bentley ID: BE-2023-0001
CVE ID: CVE-2023-4863
Severity: 8
CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Publication date: 2023-10-27
Revision date: 2023-10-27
Summary
LeapFrog applications may be affected by a Heap-Based Buffer Overflow Vulnerability when opening maliciously crafted WebP files. Exploiting these vulnerabilities could lead to information disclosure or arbitrary code execution.
Details
Using an affected version of LeapFrog application to open a WebP file containing maliciously crafted data can force a heap-based buffer overflow in the libwebp library. Exploitation of this vulnerability within the parsing of WebP files could enable an attacker to perform an out of bounds memory write an may lead to executing code in the context of the current process.
Affected Versions
| Applications | Affected Versions | Mitigated Versions |
| Seequent LeapFrog | 2023.1.* and prior versions | 2023.2 and greater |
Recommended Mitigations
Seequent, The Bentley Subsurface Company, recommends updating to the latest versions of LeapFrog applications. As a general best practice, it is also recommended to only open WebP files coming from trusted sources
Acknowledgement
Revision History
| Date | Description |
| 2023-10-27 | First version of this advisory |
