CVE-2019-6251

WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.

CVSS v3.0 8.1 HIGH
CVSS v2.0 5.8 MEDIUM

8.1^/10

CVSS v3.0 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://gitlab.gnome.org/GNOME/epiphany/issues/532	Exploit Patch Third Party Advisory
https://seclists.org/bugtraq/2019/Apr/21	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/11/1	Mailing List Third Party Advisory
http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html	Third Party Advisory VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/	Mailing List Release Notes Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPI3R6QWDJBA5KNGA6QSMKYLY5RRHBZ/	Mailing List Release Notes Third Party Advisory
https://usn.ubuntu.com/3948-1/	Third Party Advisory
https://trac.webkit.org/changeset/243434	Patch Vendor Advisory
https://bugs.webkit.org/show_bug.cgi?id=194208	Issue Tracking Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LACVFU4MYYRPJ3IEA4UCN5KUEAGCCJ72/	Mailing List Release Notes Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UO3DIA54X7FOUWFZW5YXC2MZ6KNHG6SW/	Mailing List Release Notes Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSCDI3635E37GL4BNJDRDT2KEUBDLGSO/	Mailing List Release Notes Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html	Third Party Advisory
https://security.gentoo.org/glsa/201909-05

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnome:epiphany:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:webkitgtk:webkitgtk::::::::
	cpe:2.3:a:wpewebkit:wpe_webkit::::::::

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:28:::::::*
	cpe:2.3:o:fedoraproject:fedora:30:::::::*
	cpe:2.3:o:fedoraproject:fedora:29:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 5 (hide)

OR	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:42.3:::::::*

Information

Published : 2019-01-14 00:29

Updated : 2020-08-24 10:37

NVD link : CVE-2019-6251

Mitre link : CVE-2019-6251

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

webkitgtk

webkitgtk

fedoraproject

fedora

canonical

ubuntu_linux

opensuse

leap

gnome

epiphany

wpewebkit

wpe_webkit

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://gitlab.gnome.org/GNOME/epiphany/issues/532", "name": "https://gitlab.gnome.org/GNOME/epiphany/issues/532", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://seclists.org/bugtraq/2019/Apr/21", "name": "20190411 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "BUGTRAQ"}, {"url": "http://www.openwall.com/lists/oss-security/2019/04/11/1", "name": "[oss-security] 20190410 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html", "name": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/", "name": "FEDORA-2019-d9a15be3ba", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPI3R6QWDJBA5KNGA6QSMKYLY5RRHBZ/", "name": "FEDORA-2019-b3ad0a302b", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://usn.ubuntu.com/3948-1/", "name": "USN-3948-1", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "https://trac.webkit.org/changeset/243434", "name": "https://trac.webkit.org/changeset/243434", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://bugs.webkit.org/show_bug.cgi?id=194208", "name": "https://bugs.webkit.org/show_bug.cgi?id=194208", "tags": ["Issue Tracking", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LACVFU4MYYRPJ3IEA4UCN5KUEAGCCJ72/", "name": "FEDORA-2019-432b3dff25", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UO3DIA54X7FOUWFZW5YXC2MZ6KNHG6SW/", "name": "FEDORA-2019-77433fc7f3", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSCDI3635E37GL4BNJDRDT2KEUBDLGSO/", "name": "FEDORA-2019-74f7603660", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html", "name": "openSUSE-SU-2019:1374", "tags": ["Third Party Advisory"], "refsource": "SUSE"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html", "name": "openSUSE-SU-2019:1391", "tags": ["Third Party Advisory"], "refsource": "SUSE"}, {"url": "https://security.gentoo.org/glsa/201909-05", "name": "GLSA-201909-05", "tags": [], "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-6251", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}}, "publishedDate": "2019-01-14T08:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gnome:epiphany:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.31.4"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.24.1"}, {"cpe23Uri": "cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.24.1"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-08-24T17:37Z"}

8.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-6251

8.1^/10

5.8^/10

Attach tags to `CVE-2019-6251`