CVE-2019-6251
published 2019-01-14CVE-2019-6251: WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious…
PriorityP341high8.1CVSS 3.0
AVNACLPRNUIRSUCHIHAN
EPSS
4.13%
89.5th percentile
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | webkit2gtk | < webkit2gtk 2.24.1-1 (bookworm) | webkit2gtk 2.24.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gnome | epiphany | <= 3.31.4 | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| webkitgtk | webkitgtk | < 2.24.1 | 2.24.1 |
| wpewebkit | wpe_webkit | < 2.24.1 | 2.24.1 |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
WebKitGTK+ vulnerabilities
vendor_ubuntu·2019-04-16
CVE-2019-11070 WebKitGTK+ vulnerabilities
Title: WebKitGTK+ vulnerabilities
Summary: Several security issues were fixed in WebKitGTK+.
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
Debian
CVE-2019-6251: webkit2gtk - WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar s...
vendor_debian·2019·CVSS 4.3
CVE-2019-6251 [MEDIUM] CVE-2019-6251: webkit2gtk - WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar s...
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
Scope: local
bookworm: resolved (fixed in 2.24.1-1)
bullseye: resolved (fixed in 2.24.1-1)
forky: resolved (fixed in 2.24.1-1)
sid: resolved (fixed in 2.24.1-1)
trixie: resolved (fixed in 2.24.1-1)
Red Hat
webkitgtk: processing maliciously crafted web content lead to URI spoofing
vendor_redhat·2018-09-11·CVSS 4.3
CVE-2019-6251 [MEDIUM] CWE-20 webkitgtk: processing maliciously crafted web content lead to URI spoofing
webkitgtk: processing maliciously crafted web content lead to URI spoofing
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webkitgtk3 (Red Hat Enterprise Linux 7) - Will not fix
GHSA
GHSA-w36c-w6x2-gj2r: WebKitGTK and WPE WebKit prior to version 2
ghsa_unreviewed·2022-05-13·CVSS 4.3
CVE-2019-6251 [MEDIUM] GHSA-w36c-w6x2-gj2r: WebKitGTK and WPE WebKit prior to version 2
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
OSV
CVE-2019-6251: WebKitGTK and WPE WebKit prior to version 2
osv·2019-01-14·CVSS 4.3
CVE-2019-6251 [MEDIUM] CVE-2019-6251: WebKitGTK and WPE WebKit prior to version 2
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-6251 webkit2gtk3: webkitgtk: processing maliciously crafted web content lead to URI spoofing [fedora-all]
bugzilla·2019-06-06·CVSS 8.1
CVE-2019-6251 [HIGH] CVE-2019-6251 webkit2gtk3: webkitgtk: processing maliciously crafted web content lead to URI spoofing [fedora-all]
CVE-2019-6251 webkit2gtk3: webkitgtk: processing maliciously crafted web content lead to URI spoofing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk3: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg updat
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update
Bugzilla
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]
bugzilla·2019-05-13·CVSS 5.3
CVE-2019-11070 [MEDIUM] CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]
CVE-2019-11070 CVE-2019-6251 mingw-webkitgtk: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of F
Bugzilla
CVE-2019-6251 webkitgtk: processing maliciously crafted web content lead to URI spoofing
bugzilla·2019-01-18·CVSS 4.3
CVE-2019-6251 [MEDIUM] CVE-2019-6251 webkitgtk: processing maliciously crafted web content lead to URI spoofing
CVE-2019-6251 webkitgtk: processing maliciously crafted web content lead to URI spoofing
embed/ephy-web-view.c in GNOME Web (aka Epiphany) through 3.31.4 allows address
bar spoofing because a page load triggered by JavaScript leads to updating an
address as if it were triggered by a safer visit type (e.g., VISIT_LINK,
VISIT_TYPED, VISIT_BOOKMARK, or VISIT_HOMEPAGE).
Upstream issue:
https://gitlab.gnome.org/GNOME/epiphany/issues/532
Discussion:
Created epiphany tracking bugs for this issue:
Affects: fedora-all [bug 1667410]
---
Note the CVE description and affected component are wrong. Affected component is WebKitGTK. Suggested description:
Processing maliciously crafted web content may lead to spoofing. WebKitGTK and WPE WebKit were vulnerable to a URI spoofing attack similar to th
Bugzilla
CVE-2019-6251 epiphany: webkitgtk: processing maliciously crafted web content lead to URI spoofing [fedora-all]
bugzilla·2019-01-18·CVSS 8.1
CVE-2019-6251 [HIGH] CVE-2019-6251 epiphany: webkitgtk: processing maliciously crafted web content lead to URI spoofing [fedora-all]
CVE-2019-6251 epiphany: webkitgtk: processing maliciously crafted web content lead to URI spoofing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.htmlhttp://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2019/04/11/1https://bugs.webkit.org/show_bug.cgi?id=194208https://gitlab.gnome.org/GNOME/epiphany/issues/532https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSCDI3635E37GL4BNJDRDT2KEUBDLGSO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LACVFU4MYYRPJ3IEA4UCN5KUEAGCCJ72/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNPI3R6QWDJBA5KNGA6QSMKYLY5RRHBZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO3DIA54X7FOUWFZW5YXC2MZ6KNHG6SW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/https://seclists.org/bugtraq/2019/Apr/21https://security.gentoo.org/glsa/201909-05https://trac.webkit.org/changeset/243434https://usn.ubuntu.com/3948-1/http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.htmlhttp://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2019/04/11/1https://bugs.webkit.org/show_bug.cgi?id=194208https://gitlab.gnome.org/GNOME/epiphany/issues/532https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSCDI3635E37GL4BNJDRDT2KEUBDLGSO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LACVFU4MYYRPJ3IEA4UCN5KUEAGCCJ72/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNPI3R6QWDJBA5KNGA6QSMKYLY5RRHBZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO3DIA54X7FOUWFZW5YXC2MZ6KNHG6SW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/https://seclists.org/bugtraq/2019/Apr/21https://security.gentoo.org/glsa/201909-05https://trac.webkit.org/changeset/243434https://usn.ubuntu.com/3948-1/
2019-01-14
Published