CVE-2019-11070
published 2019-04-10CVE-2019-11070: WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or…
PriorityP428medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EPSS
3.29%
87.0th percentile
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | webkit2gtk | < webkit2gtk 2.24.1-1 (bookworm) | webkit2gtk 2.24.1-1 (bookworm) |
| webkitgtk | webkitgtk | < 2.24.1 | 2.24.1 |
| wpewebkit | wpe_webkit | < 2.24.1 | 2.24.1 |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
WebKitGTK+ vulnerabilities
vendor_ubuntu·2019-04-16
CVE-2019-11070 WebKitGTK+ vulnerabilities
Title: WebKitGTK+ vulnerabilities
Summary: Several security issues were fixed in WebKitGTK+.
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
Red Hat
webkitgtk: HTTP proxy setting deanonymization information disclosure
vendor_redhat·2019-04-10·CVSS 5.3
CVE-2019-11070 [MEDIUM] CWE-200 webkitgtk: HTTP proxy setting deanonymization information disclosure
webkitgtk: HTTP proxy setting deanonymization information disclosure
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webkitgtk3 (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2019-11070: webkit2gtk - WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply config...
vendor_debian·2019·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070: webkit2gtk - WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply config...
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
Scope: local
bookworm: resolved (fixed in 2.24.1-1)
bullseye: resolved (fixed in 2.24.1-1)
forky: resolved (fixed in 2.24.1-1)
sid: resolved (fixed in 2.24.1-1)
trixie: resolved (fixed in 2.24.1-1)
GHSA
GHSA-jcch-9vxr-f9mg: WebKitGTK and WPE WebKit prior to version 2
ghsa_unreviewed·2022-05-14
CVE-2019-11070 [MEDIUM] GHSA-jcch-9vxr-f9mg: WebKitGTK and WPE WebKit prior to version 2
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
OSV
CVE-2019-11070: WebKitGTK and WPE WebKit prior to version 2
osv·2019-04-10·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070: WebKitGTK and WPE WebKit prior to version 2
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-6201 CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-11070 CVE-2019-8544 ... webkit2gtk3:
bugzilla·2019-06-06·CVSS 5.3
CVE-2019-6201 [MEDIUM] CVE-2019-6201 CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-11070 CVE-2019-8544 ... webkit2gtk3:
CVE-2019-6201 CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-11070 CVE-2019-8544 ... webkit2gtk3: webkitgtk: Multiple vulnerabilities [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg updat
Bugzilla
CVE-2019-11070 webkitgtk: HTTP proxy setting deanonymization information disclosure
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 webkitgtk: HTTP proxy setting deanonymization information disclosure
CVE-2019-11070 webkitgtk: HTTP proxy setting deanonymization information disclosure
WebKitGTK and WPE WebKit failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
Reference:
https://webkitgtk.org/security/WSA-2019-0002.html
https://wpewebkit.org/security/WSA-2019-0002.html
Discussion:
Created mingw-webkitgtk tracking bugs for this issue:
Affects: fedora-all [bug 1709313]
---
Created mingw-webkitgtk tracking bugs for this issue:
Affects: epel-7 [bug 1709314]
Created mingw-webkitgtk3 tracking bugs for this issue:
Affects: epel-7 [bug 1709315]
---
Created webkit2gtk3 tracking bugs for this issue:
Aff
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of F
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.htmlhttp://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2019/04/11/1https://bugs.webkit.org/show_bug.cgi?id=193718https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/https://seclists.org/bugtraq/2019/Apr/21https://security.gentoo.org/glsa/201909-05https://trac.webkit.org/changeset/243197/webkithttps://usn.ubuntu.com/3948-1/http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.htmlhttp://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2019/04/11/1https://bugs.webkit.org/show_bug.cgi?id=193718https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/https://seclists.org/bugtraq/2019/Apr/21https://security.gentoo.org/glsa/201909-05https://trac.webkit.org/changeset/243197/webkithttps://usn.ubuntu.com/3948-1/
2019-04-10
Published