CVE-2019-6251

Name
CVE-2019-6251
Description
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://gitlab.gnome.org/GNOME/epiphany/issues/532
Mailing List https://seclists.org/bugtraq/2019/Apr/21
Mailing List http://www.openwall.com/lists/oss-security/2019/04/11/1
Third Party Advisory http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPI3R6QWDJBA5KNGA6QSMKYLY5RRHBZ/
Third Party Advisory https://usn.ubuntu.com/3948-1/
Patch https://trac.webkit.org/changeset/243434
Issue Tracking https://bugs.webkit.org/show_bug.cgi?id=194208
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LACVFU4MYYRPJ3IEA4UCN5KUEAGCCJ72/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UO3DIA54X7FOUWFZW5YXC2MZ6KNHG6SW/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSCDI3635E37GL4BNJDRDT2KEUBDLGSO/
Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html
Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html
GENTOO https://security.gentoo.org/glsa/201909-05

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnome:epiphany:*:*:*:*:*:*:*:* epiphany >= None <= 3.31.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
webkit2gtk edge-community 2.24.1-r0 None fixed
webkit2gtk 3.20-community 2.24.1-r0 None fixed
webkit2gtk 3.19-community 2.24.1-r0 None fixed
webkit2gtk 3.18-community 2.24.1-r0 None fixed
webkit2gtk 3.17-community 2.24.1-r0 None fixed