#VU17739 Spoofing attack in GNOME Web (Epiphany) - CVE-2019-6251


Vulnerability identifier: #VU17739

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6251

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GNOME Web (Epiphany)
Client/Desktop applications / Web browsers

Vendor: Gnome Development Team

Description
The disclosed vulnerability allows a remote attacker to perform spoofing attack.

The weakness exists due to improper parsing of specific HTTP content. A remote attacker can trick the victim to follow a specially crafted link and perform a spoofing attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address the vulnerability.

Vulnerable software versions

GNOME Web (Epiphany): 3.28.3.1

External links
https://gitlab.gnome.org/GNOME/epiphany/issues/532

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for webkit2gtk3
OpenSUSE Linux update for webkit2gtk3
Spoofing attack in webkit2gtk (Alpine package)
Fedora 30 update for wpewebkit
Fedora 29 update for wpewebkit
Fedora 28 update for webkit2gtk3
Fedora 29 update for webkit2gtk3
Fedora 30 update for webkit2gtk3
Arch Linux update for epiphany