MEDIUM 4.3 Published on 2018-04-01

CVE-2018-6849

In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected mobile apps

DuckDuckGo

com.duckduckgo.mobile.ios

1 open

DuckDuckGo

com.duckduckgo.mobile.android

1 open

Vulnerable CPE configurations

Vendor	Product	Platform	Versions	CPE 2.3 URI
duckduckgo	duckduckgo	Android	—	cpe:2.3:a:duckduckgo:duckduckgo:4.2.0:::::::*
duckduckgo	duckduckgo	iOS	—	cpe:2.3:a:duckduckgo:duckduckgo:4.2.0:::::::*

View on NVD ↗