NULL Pointer Dereference in seleniumhq/selenium
Published: October 23, 2023
SECURITY IDENTIFIERS
- CVE: CVE-2023-5590 (NVD)
- GHSA: GHSA-4phc-fq33-39gx
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
>= 4.14.0
DESCRIPTION
This is a null pointer dereference that causes the IE driver to crash when selenium gets the cookies from an attacker controlled page. At a high level, the bug is caused by an insufficient check on data returned from Edge (Internet Explorer mode).
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2023-5590
- https://rubygems.org/gems/selenium-webdriver/versions/4.14.0
- https://github.com/SeleniumHQ/selenium/releases/tag/selenium-4.14.0
- https://github.com/seleniumhq/selenium/commit/023a0d52f106321838ab1c0997e76693f4dcbdf6
- https://huntr.com/bounties/e268cd68-4f34-49bd-878b-82b96dcc0c99
- https://github.com/advisories/GHSA-4phc-fq33-39gx
