CVE-2019-11070 Information

Description

WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS DASH or Smooth Streaming) an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html http://www.openwall.com/lists/oss-security/2019/04/11/1 https://bugs.webkit.org/show_bug.cgi?id=193718 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/ https://seclists.org/bugtraq/2019/Apr/21 https://security.gentoo.org/glsa/201909-05 https://trac.webkit.org/changeset/243197/webkit https://usn.ubuntu.com/3948-1/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3