CVE-2019-6251 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2019-6251?

CVE-2019-6251 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-6251?

Check the references section above for vendor advisories and patch information. Affected products include: Gnome Epiphany, Webkitgtk Webkitgtk, Wpewebkit Wpe Webkit, Fedoraproject Fedora, Canonical Ubuntu Linux.

Vulnerability Description

WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Gnome	Epiphany	<= 3.31.4
Webkitgtk	Webkitgtk	< 2.24.1
Wpewebkit	Wpe Webkit	< 2.24.1
Fedoraproject	Fedora	28
Canonical	Ubuntu Linux	18.04
Opensuse	Leap	15.0

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.htmlThird Party Advisory
http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-CoThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2019/04/11/1Mailing ListThird Party Advisory
https://bugs.webkit.org/show_bug.cgi?id=194208Issue TrackingVendor Advisory
https://gitlab.gnome.org/GNOME/epiphany/issues/532ExploitPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Apr/21Mailing ListThird Party Advisory
https://security.gentoo.org/glsa/201909-05
https://trac.webkit.org/changeset/243434PatchVendor Advisory
https://usn.ubuntu.com/3948-1/Third Party Advisory

FAQ

What is CVE-2019-6251?

CVE-2019-6251 is a vulnerability with a CVSS score of 8.1 (HIGH). WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a ...

How severe is CVE-2019-6251?

CVE-2019-6251 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-6251?

Check the references section above for vendor advisories and patch information. Affected products include: Gnome Epiphany, Webkitgtk Webkitgtk, Wpewebkit Wpe Webkit, Fedoraproject Fedora, Canonical Ubuntu Linux.