FortiDevSec is an application security testing product that offers a comprehensive SaaS based continuous application testing for software Developers and DevOps, without the need for any security expertise
This article describes Google Chromium WebP heap buffer overflow vulnerability detection with FortiDevSec, that has been actively been exploited in the wild.
CVE-2023-4863 vulnerability is a 0-day exploit that was discovered on a popular open source library Libwebp used for manipulating images in WebP format. The Libwebp library is built-in on Google Chromium that is consumed by popular applications such as Google Chrome, Microsoft Edge, Microsoft Teams, Mozilla Firefox and Mozilla Thunderbird.
This zero-day, leads to exploitation through a crafted image that can impact the affected applications to crash or lead to arbitrary code execution.
Scope
FortiDevSec SCA scanner updated in version 23.3
Solution
Detection against these vulnerabilities is empowered by the FortiDevSec Software Composition Analysis (SCA) scanner.
This technology enables FortiDevSec to assess with a high level of confidence if the application codebase is vulnerable to a specific vulnerability by identifying open-source software dependencies.
The SCA scanner is enabled by default. Once the scan is performed on an application, the result appears under the Software Composition Analysis tab.
A step-by-step guide on how to scan an application is available in the user guide.
