{"api_version":"1","generated_at":"2026-04-22T19:34:55+00:00","cve":"CVE-2019-11070","urls":{"html":"https://cve.report/CVE-2019-11070","api":"https://cve.report/api/cve/CVE-2019-11070.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-11070","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-11070"},"summary":{"title":"CVE-2019-11070","description":"WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-04-10 21:29:00","updated_at":"2023-11-07 03:02:00"},"problem_types":["CWE-19"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html","name":"openSUSE-SU-2019:1374","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1374-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3948-1/","name":"USN-3948-1","refsource":"UBUNTU","tags":[],"title":"USN-3948-1: WebKitGTK+ vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/","name":"FEDORA-2019-d9a15be3ba","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 30 Update: webkit2gtk3-2.24.1-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html","name":"openSUSE-SU-2019:1391","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1391-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html","name":"http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"WebKitGTK+ / WPE WebKit URI Spoofing / Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/","name":"FEDORA-2019-d9a15be3ba","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: webkit2gtk3-2.24.1-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.webkit.org/show_bug.cgi?id=193718","name":"https://bugs.webkit.org/show_bug.cgi?id=193718","refsource":"MISC","tags":["Issue Tracking","Third Party Advisory"],"title":"193718 – (CVE-2019-11070) [GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy settings","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://trac.webkit.org/changeset/243197/webkit","name":"https://trac.webkit.org/changeset/243197/webkit","refsource":"MISC","tags":["Patch","Vendor Advisory"],"title":"Changeset 243197 – WebKit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Apr/21","name":"20190411 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002","refsource":"BUGTRAQ","tags":["Mailing List","Third Party Advisory","VDB Entry"],"title":"Bugtraq: WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/04/11/1","name":"[oss-security] 20190410 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002","refsource":"MLIST","tags":["Third Party Advisory"],"title":"oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201909-05","name":"GLSA-201909-05","refsource":"GENTOO","tags":[],"title":"WebkitGTK+: Multiple vulnerabilities (GLSA 201909-05) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-11070","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11070","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"11070","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webkitgtk","cpe5":"webkitgtk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11070","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webkitgtk","cpe5":"webkitgtk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11070","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpewebkit","cpe5":"wpe_webkit","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11070","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpewebkit","cpe5":"wpe_webkit","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-11070","qid":"296078","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 16.4.0 Missing (CPUOCT2019)"},{"cve":"CVE-2019-11070","qid":"377553","title":"Alibaba Cloud Linux Security Update for webkitgtk4 (ALINUX2-SA-2020:0147)"},{"cve":"CVE-2019-11070","qid":"501282","title":"Alpine Linux Security Update for webkit2gtk"},{"cve":"CVE-2019-11070","qid":"505503","title":"Alpine Linux Security Update for webkit2gtk"},{"cve":"CVE-2019-11070","qid":"710127","title":"Gentoo Linux WebkitGTK+ Multiple vulnerabilities (GLSA 201909-05)"},{"cve":"CVE-2019-11070","qid":"940366","title":"AlmaLinux Security Update for GNOME (ALSA-2019:3553)"},{"cve":"CVE-2019-11070","qid":"960235","title":"Rocky Linux Security Update for GNOME (RLSA-2019:3553)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-11070","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://bugs.webkit.org/show_bug.cgi?id=193718","refsource":"MISC","name":"https://bugs.webkit.org/show_bug.cgi?id=193718"},{"url":"https://trac.webkit.org/changeset/243197/webkit","refsource":"MISC","name":"https://trac.webkit.org/changeset/243197/webkit"},{"refsource":"BUGTRAQ","name":"20190411 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002","url":"https://seclists.org/bugtraq/2019/Apr/21"},{"refsource":"MLIST","name":"[oss-security] 20190410 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002","url":"http://www.openwall.com/lists/oss-security/2019/04/11/1"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html","url":"http://packetstormsecurity.com/files/152485/WebKitGTK-WPE-WebKit-URI-Spoofing-Code-Execution.html"},{"refsource":"FEDORA","name":"FEDORA-2019-d9a15be3ba","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO5ZBUWOOXMVZPBYLZRDZF6ZQGBYJERQ/"},{"refsource":"UBUNTU","name":"USN-3948-1","url":"https://usn.ubuntu.com/3948-1/"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1374","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1391","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00031.html"},{"refsource":"GENTOO","name":"GLSA-201909-05","url":"https://security.gentoo.org/glsa/201909-05"}]}},"nvd":{"publishedDate":"2019-04-10 21:29:00","lastModifiedDate":"2023-11-07 03:02:00","problem_types":["CWE-19"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*","versionEndExcluding":"2.24.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*","versionEndExcluding":"2.24.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"11070","Ordinal":"149356","Title":"CVE-2019-11070","CVE":"CVE-2019-11070","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"11070","Ordinal":"1","NoteData":"WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"11070","Ordinal":"2","NoteData":"2019-04-10","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"11070","Ordinal":"3","NoteData":"2019-09-06","Type":"Other","Title":"Modified"}]}}}