CVE-2019-11070 - Vulnerability Details

WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Enterprise Linux
Webkitgtk	Webkitgtk
Wpewebkit	Wpe Webkit

Configuration 1 [-]

OR	cpe:2.3:a:webkitgtk:webkitgtk::::::::
	cpe:2.3:a:wpewebkit:wpe_webkit::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
webkitgtk4-0:2.28.2-2.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:4035	2020-09-29T00:00:00Z
Red Hat Enterprise Linux 8
accountsservice-0:0.6.50-7.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
appstream-data-0:8-20190805.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
baobab-0:3.28.0-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
chrome-gnome-shell-0:10.1-6.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
evince-0:3.28.4-3.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
file-roller-0:3.28.1-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gdk-pixbuf2-0:2.36.12-5.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gdm-1:3.28.3-22.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gjs-0:1.56.2-3.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-control-center-0:3.28.2-5.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-desktop3-0:3.32.2-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-remote-desktop-0:0.1.6-5.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-settings-daemon-0:3.32.0-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-shell-0:3.32.2-9.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-shell-extensions-0:3.32.1-10.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-software-0:3.30.6-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-tweaks-0:3.28.1-6.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gsettings-desktop-schemas-0:3.32.0-3.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gtk3-0:3.22.30-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gvfs-0:1.36.2-6.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
mozjs60-0:60.9.0-3.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
mutter-0:3.32.2-10.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
nautilus-0:3.28.1-10.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
pango-0:1.42.4-6.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
pidgin-0:2.13.0-5.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
plymouth-0:0.9.3-15.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
SDL-0:1.2.15-35.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
wayland-protocols-0:1.17-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
webkit2gtk3-0:2.24.3-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
accountsservice-0:0.6.50-7.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
appstream-data-0:8-20190805.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
baobab-0:3.28.0-2.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
chrome-gnome-shell-0:10.1-6.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
evince-0:3.28.4-3.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
file-roller-0:3.28.1-2.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gdk-pixbuf2-0:2.36.12-5.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gdm-1:3.28.3-22.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gjs-0:1.56.2-3.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-control-center-0:3.28.2-5.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-desktop3-0:3.32.2-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-remote-desktop-0:0.1.6-5.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-settings-daemon-0:3.32.0-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-shell-0:3.32.2-9.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-shell-extensions-0:3.32.1-10.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-software-0:3.30.6-2.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gnome-tweaks-0:3.28.1-6.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gsettings-desktop-schemas-0:3.32.0-3.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gtk3-0:3.22.30-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
gvfs-0:1.36.2-6.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
mozjs60-0:60.9.0-3.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
mutter-0:3.32.2-10.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
nautilus-0:3.28.1-10.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
pango-0:1.42.4-6.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
pidgin-0:2.13.0-5.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
plymouth-0:0.9.3-15.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
SDL-0:1.2.15-35.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
wayland-protocols-0:1.17-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z
webkit2gtk3-0:2.24.3-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3553	2019-11-05T00:00:00Z

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html
http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html
http://www.openwall.com/lists/oss-security/2019/04/11/1
https://bugs.webkit.org/show_bug.cgi?id=193718
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/
https://nvd.nist.gov/vuln/detail/CVE-2019-11070
https://seclists.org/bugtraq/2019/Apr/21
https://security.gentoo.org/glsa/201909-05
https://trac.webkit.org/changeset/243197/webkit
https://usn.ubuntu.com/3948-1/
https://www.cve.org/CVERecord?id=CVE-2019-11070

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-10T20:15:06

Updated: 2024-08-04T22:40:16.199Z

Reserved: 2019-04-10T00:00:00

Link: CVE-2019-11070

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-10T21:29:01.653

Modified: 2024-11-21T04:20:28.830

Link: CVE-2019-11070

Redhat

Severity : Moderate

Publid Date: 2019-04-10T00:00:00Z

Links: CVE-2019-11070 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-06T17:06:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.webkit.org/show_bug.cgi?id=193718"}, {"tags": ["x_refsource_MISC"], "url": "https://trac.webkit.org/changeset/243197/webkit"}, {"name": "20190411 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Apr/21"}, {"name": "[oss-security] 20190410 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/04/11/1"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html"}, {"name": "FEDORA-2019-d9a15be3ba", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/"}, {"name": "USN-3948-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3948-1/"}, {"name": "openSUSE-SU-2019:1374", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html"}, {"name": "openSUSE-SU-2019:1391", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html"}, {"name": "GLSA-201909-05", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201909-05"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-11070", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.webkit.org/show_bug.cgi?id=193718", "refsource": "MISC", "url": "https://bugs.webkit.org/show_bug.cgi?id=193718"}, {"name": "https://trac.webkit.org/changeset/243197/webkit", "refsource": "MISC", "url": "https://trac.webkit.org/changeset/243197/webkit"}, {"name": "20190411 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Apr/21"}, {"name": "[oss-security] 20190410 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/04/11/1"}, {"name": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html"}, {"name": "FEDORA-2019-d9a15be3ba", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/"}, {"name": "USN-3948-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3948-1/"}, {"name": "openSUSE-SU-2019:1374", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html"}, {"name": "openSUSE-SU-2019:1391", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html"}, {"name": "GLSA-201909-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201909-05"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:16.199Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.webkit.org/show_bug.cgi?id=193718"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://trac.webkit.org/changeset/243197/webkit"}, {"name": "20190411 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Apr/21"}, {"name": "[oss-security] 20190410 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/04/11/1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html"}, {"name": "FEDORA-2019-d9a15be3ba", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/"}, {"name": "USN-3948-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3948-1/"}, {"name": "openSUSE-SU-2019:1374", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html"}, {"name": "openSUSE-SU-2019:1391", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html"}, {"name": "GLSA-201909-05", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201909-05"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11070", "datePublished": "2019-04-10T20:15:06", "dateReserved": "2019-04-10T00:00:00", "dateUpdated": "2024-08-04T22:40:16.199Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*", "matchCriteriaId": "08565239-2C80-4C9F-A270-6076E455DD91", "versionEndExcluding": "2.24.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "46E10007-E315-4E7B-99DC-44F7E4C8523C", "versionEndExcluding": "2.24.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded."}, {"lang": "es", "value": "WebKitGTK y WPE WebKit en las versiones anteriores a 2.24.1 no aplican correctamente la configuraci\u00f3n del proxy HTTP al descargar v\u00eddeo en directo (HLS, DASH o Smooth Streaming), lo que provoc\u00f3 un error de desanonimizaci\u00f3n. Este problema se corrigi\u00f3 cambiando la forma en que se descargan las transmisiones en directo."}], "id": "CVE-2019-11070", "lastModified": "2024-11-21T04:20:28.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-10T21:29:01.653", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/04/11/1"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.webkit.org/show_bug.cgi?id=193718"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory", "VDB Entry"], "url": "https://seclists.org/bugtraq/2019/Apr/21"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201909-05"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://trac.webkit.org/changeset/243197/webkit"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3948-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/04/11/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.webkit.org/show_bug.cgi?id=193718"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory", "VDB Entry"], "url": "https://seclists.org/bugtraq/2019/Apr/21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201909-05"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://trac.webkit.org/changeset/243197/webkit"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/3948-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-19"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4035", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "webkitgtk4-0:2.28.2-2.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-09-29T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "accountsservice-0:0.6.50-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "appstream-data-0:8-20190805.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "baobab-0:3.28.0-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "chrome-gnome-shell-0:10.1-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "evince-0:3.28.4-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "file-roller-0:3.28.1-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gdk-pixbuf2-0:2.36.12-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gdm-1:3.28.3-22.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gjs-0:1.56.2-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-control-center-0:3.28.2-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-desktop3-0:3.32.2-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-remote-desktop-0:0.1.6-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-settings-daemon-0:3.32.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-shell-0:3.32.2-9.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-shell-extensions-0:3.32.1-10.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-software-0:3.30.6-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-tweaks-0:3.28.1-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gsettings-desktop-schemas-0:3.32.0-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gtk3-0:3.22.30-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gvfs-0:1.36.2-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "mozjs60-0:60.9.0-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "mutter-0:3.32.2-10.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nautilus-0:3.28.1-10.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "pango-0:1.42.4-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "pidgin-0:2.13.0-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "plymouth-0:0.9.3-15.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "SDL-0:1.2.15-35.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "wayland-protocols-0:1.17-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "webkit2gtk3-0:2.24.3-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "accountsservice-0:0.6.50-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "appstream-data-0:8-20190805.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "baobab-0:3.28.0-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "chrome-gnome-shell-0:10.1-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "evince-0:3.28.4-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "file-roller-0:3.28.1-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gdk-pixbuf2-0:2.36.12-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gdm-1:3.28.3-22.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gjs-0:1.56.2-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-control-center-0:3.28.2-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-desktop3-0:3.32.2-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-remote-desktop-0:0.1.6-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-settings-daemon-0:3.32.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-shell-0:3.32.2-9.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-shell-extensions-0:3.32.1-10.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-software-0:3.30.6-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-tweaks-0:3.28.1-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gsettings-desktop-schemas-0:3.32.0-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gtk3-0:3.22.30-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gvfs-0:1.36.2-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "mozjs60-0:60.9.0-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "mutter-0:3.32.2-10.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "nautilus-0:3.28.1-10.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "pango-0:1.42.4-6.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "pidgin-0:2.13.0-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "plymouth-0:0.9.3-15.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "SDL-0:1.2.15-35.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "wayland-protocols-0:1.17-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3553", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "webkit2gtk3-0:2.24.3-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}], "bugzilla": {"description": "webkitgtk: HTTP proxy setting deanonymization information disclosure", "id": "1709289", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709289"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded."], "name": "CVE-2019-11070", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "webkitgtk", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "webkitgtk3", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2019-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11070\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11070"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object