Data Handling in WebKitGTK WebKitGTK+



Published: 2019-04-10 | Updated: 2020-07-17
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-11070
CWE-ID CWE-19
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
WebKitGTK+
Server applications / Frameworks for developing and running applications

Vendor WebKitGTK

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Data Handling

EUVDB-ID: #VU31117

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11070

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.

Mitigation

Install update from vendor's website.

Vulnerable software versions

WebKitGTK+: 2.24.0

External links

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html
http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html
http://www.openwall.com/lists/oss-security/2019/04/11/1
http://bugs.webkit.org/show_bug.cgi?id=193718
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/
http://seclists.org/bugtraq/2019/Apr/21
http://security.gentoo.org/glsa/201909-05
http://trac.webkit.org/changeset/243197/webkit
http://usn.ubuntu.com/3948-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###