CVE-2014-3494
published 2014-07-01CVE-2014-3494: kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows…
PriorityP416medium4.3CVSS 2.0
AVNACMAuNCPINAN
EPSS
0.71%
48.9th percentile
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| opensuse | opensuse | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kdelibs: POP3 kioslave silently accepted invalid SSL certificates
vendor_redhat·2014-06-17·CVSS 4.3
CVE-2014-3494 [MEDIUM] CWE-295 kdelibs: POP3 kioslave silently accepted invalid SSL certificates
kdelibs: POP3 kioslave silently accepted invalid SSL certificates
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
Package: kdelibs (Red Hat Enterprise Linux 5) - Not affected
Package: kdelibs (Red Hat Enterprise Linux 6) - Not affected
Package: kdelibs3 (Red Hat Enterprise Linux 6) - Not affected
Package: kdelibs (Red Hat Enterprise Linux 7) - Not affected
GHSA
GHSA-rjp2-g39x-38r6: kio/usernotificationhandler
ghsa_unreviewed·2022-05-14
CVE-2014-3494 [MEDIUM] CWE-200 GHSA-rjp2-g39x-38r6: kio/usernotificationhandler
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
OSV
CVE-2014-3494: kio/usernotificationhandler
osv·2014-07-01·CVSS 4.3
CVE-2014-3494 [MEDIUM] CVE-2014-3494: kio/usernotificationhandler
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-3494 kdelibs: POP3 kioslave silently accepted invalid SSL certificates [fedora-all]
bugzilla·2014-06-19·CVSS 4.3
CVE-2014-3494 [MEDIUM] CVE-2014-3494 kdelibs: POP3 kioslave silently accepted invalid SSL certificates [fedora-all]
CVE-2014-3494 kdelibs: POP3 kioslave silently accepted invalid SSL certificates [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issue af
Bugzilla
CVE-2014-3494 kdelibs: POP3 kioslave silently accepted invalid SSL certificates
bugzilla·2014-06-19·CVSS 4.3
CVE-2014-3494 [MEDIUM] CVE-2014-3494 kdelibs: POP3 kioslave silently accepted invalid SSL certificates
CVE-2014-3494 kdelibs: POP3 kioslave silently accepted invalid SSL certificates
The KDE project fixed the following issue:
""
Overview
The POP3 kioslave used by kmail will accept invalid certificates without
presenting a dialog to the user due a bug that leads to an inability to
display the dialog combined with an error in the way the result is checked.
Impact
This flaw allows an active attacker to perform MITM attacks against the
ioslave which could result in the leakage of sensitive data such as the
authentication details and the contents of emails.
""
Upstream notes this issue affected versions 4.10.95 to 4.13.2. It has been fixed in version 4.13.3. In addition to this, from an initial analysis it appears that only kdelibs in Fedora is affected (kdelibs3 should not be affected). k
http://lists.opensuse.org/opensuse-updates/2015-03/msg00068.htmlhttp://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228fhttp://www.kde.org/info/security/advisory-20140618-1.txthttp://www.securityfocus.com/bid/68113http://lists.opensuse.org/opensuse-updates/2015-03/msg00068.htmlhttp://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228fhttp://www.kde.org/info/security/advisory-20140618-1.txthttp://www.securityfocus.com/bid/68113
2014-07-01
Published