Vulnerability Details : CVE-2019-6251
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
Products affected by CVE-2019-6251
- cpe:2.3:a:gnome:epiphany:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*
- cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-6251
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-6251
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST |
References for CVE-2019-6251
-
http://www.openwall.com/lists/oss-security/2019/04/11/1
oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html
[security-announce] openSUSE-SU-2019:1391-1: important: Security updateThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSCDI3635E37GL4BNJDRDT2KEUBDLGSO/
[SECURITY] Fedora 29 Update: wpewebkit-2.24.1-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://usn.ubuntu.com/3948-1/
USN-3948-1: WebKitGTK+ vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UO3DIA54X7FOUWFZW5YXC2MZ6KNHG6SW/
[SECURITY] Fedora 30 Update: wpewebkit-2.24.1-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html
WebKitGTK+ / WPE WebKit URI Spoofing / Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html
[security-announce] openSUSE-SU-2019:1374-1: important: Security updateThird Party Advisory
-
https://seclists.org/bugtraq/2019/Apr/21
Bugtraq: WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002Mailing List;Third Party Advisory
-
https://gitlab.gnome.org/GNOME/epiphany/issues/532
(CVE-2018-8383/CVE-2019-6251) Address bar spoofing (#532) · Issues · GNOME / Epiphany · GitLabExploit;Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/
[SECURITY] Fedora 30 Update: webkit2gtk3-2.24.1-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://trac.webkit.org/changeset/243434
Changeset 243434 – WebKitPatch;Vendor Advisory
-
https://bugs.webkit.org/show_bug.cgi?id=194208
194208 – (CVE-2019-6251) [WPE][GTK] URI spoofing when JS redirects page to something that takes a long time to loadIssue Tracking;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LACVFU4MYYRPJ3IEA4UCN5KUEAGCCJ72/
[SECURITY] Fedora 28 Update: webkit2gtk3-2.24.1-1.fc28 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://security.gentoo.org/glsa/201909-05
WebkitGTK+: Multiple vulnerabilities (GLSA 201909-05) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPI3R6QWDJBA5KNGA6QSMKYLY5RRHBZ/
[SECURITY] Fedora 29 Update: webkit2gtk3-2.24.1-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
Jump to