KDE kio 4.10.3 noticifations about errors contain password

2013-05-10 / 2013-05-12

Credit: Seth Arnold

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2013-2074

CWE: CWE-200

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

A bug in our Launchpad [1] refers to KDE Bug 319428 [2] as fixing a
security issue: displaying raw URLs, including passwords, in a handful
of error messages. A patch is in git [3] to sanitize URLs before
displaying them in the affected error messages.
1: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286
2: https://bugs.kde.org/show_bug.cgi?id=319428
3: http://commits.kde.org/kdelibs/65d736dab592bced4410ccfa4699de89f78c96ca

References:

https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286

https://bugs.kde.org/show_bug.cgi?id=319428

http://commits.kde.org/kdelibs/65d736dab592bced4410ccfa4699de89f78c96ca

http://seclists.org/oss-sec/2013/q2/303

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

KDE kio 4.10.3 noticifations about errors contain password

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.