CVE-2019-6251

HIGH

WebKitGTK & WPE WebKit <2.24.1 - SSRF

Title source: llm
STIX 2.1

Description

WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge.

References (15)

Core 15
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/epiphany/issues/532
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/21
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/11/1
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3948-1/
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugs.webkit.org/show_bug.cgi?id=194208
Patch, Vendor Advisory x_refsource_misc
https://trac.webkit.org/changeset/243434
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201909-05

Scores

CVSS v3 8.1
EPSS 0.0245
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

Status published
Products (10)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
gnome/epiphany < 3.31.4
opensuse/leap 15.0
opensuse/leap 42.3
webkitgtk/webkitgtk < 2.24.1
wpewebkit/wpe_webkit < 2.24.1
Published Jan 14, 2019
Tracked Since Feb 18, 2026