CVE-2019-11070

CWE-19CWE-200Information Exposure12 documents8 sources
Severity
5.3MEDIUM
EPSS
1.9%
top 16.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Webkitgtk WebkitgtkWpewebkit WPE Webkit
Timeline
PublishedApr 10
Latest updateMay 14

Description

WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDwebkitgtk/webkitgtk< 2.24.1
NVDwpewebkit/wpe_webkit< 2.24.1
Debianwebkit2gtk< 2.24.1-1+3

Patches

Patch: trac.webkit.orgPatch: trac.webkit.org

🔴Vulnerability Details

3
GHSA
GHSA-jcch-9vxr-f9mg: WebKitGTK and WPE WebKit prior to version 22022-05-14
OSV
CVE-2019-11070: WebKitGTK and WPE WebKit prior to version 22019-04-10
CVEList
CVE-2019-11070: WebKitGTK and WPE WebKit prior to version 22019-04-10

📋Vendor Advisories

3
Ubuntu
WebKitGTK+ vulnerabilities2019-04-16
Red Hat
webkitgtk: HTTP proxy setting deanonymization information disclosure2019-04-10
Debian
CVE-2019-11070: webkit2gtk - WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply config...2019

💬Community

5
Bugzilla
CVE-2019-6201 CVE-2019-7285 CVE-2019-7292 CVE-2019-8503 CVE-2019-8506 CVE-2019-8515 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-11070 CVE-2019-8544 ... webkit2gtk3: 2019-06-06
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]2019-05-13
Bugzilla
CVE-2019-11070 webkitgtk: HTTP proxy setting deanonymization information disclosure2019-05-13
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]2019-05-13
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]2019-05-13
CVE-2019-11070 (MEDIUM CVSS 5.3) | WebKitGTK and WPE WebKit prior to v | cvebase.io