CVE-2017-6410

CWE-319 — Cleartext Transmission CWE-200 — Information Exposure11 documents8 sources

Severity

5.5MEDIUM

EPSS

0.3%

top 47.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Kdelibs KDE KIO

Timeline

PublishedMar 2

Latest updateMay 13

Description

kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDkde/kdelibs4.14.29

▶Debiankio< 5.28.0-2+3

▶NVDkde/kio5.31

Patches

Patch: www.kde.org ↗Patch: www.kde.org ↗

🔴Vulnerability Details

GHSA

GHSA-6qcm-9vg4-jxv8: kpac/script↗2022-05-13

▶

CVEList

CVE-2017-6410: kpac/script↗2017-03-02

▶

OSV

CVE-2017-6410: kpac/script↗2017-03-02

▶

📋Vendor Advisories

Ubuntu

KDE-Libs vulnerability↗2017-03-09

▶

Red Hat

kdelibs: Information Leak when accessing https when using a malicious PAC file↗2017-02-28

▶

Debian

CVE-2017-6410: kio - kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC ...↗2017

▶

💬Community

Bugzilla

CVE-2017-6410 kdelibs: kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file [fedora-all]↗2017-03-01

▶

Bugzilla

CVE-2017-6410 kf5-kio: kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file [fedora-all]↗2017-03-01

▶

Bugzilla

CVE-2017-6410 kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file↗2017-03-01

▶

Bugzilla

CVE-2017-6410 kf5-kio: kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file [epel-7]↗2017-03-01

▶