CVE-2017-9604

KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8	Mailing List Patch Tool Signature
https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197	Mailing List Patch Tool Signature

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:kde:kmail::::::::
	cpe:2.3:a:kde:messagelib::::::::

cpe:2.3:o:kde:kde:17.04:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-06-13 13:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-9604

Mitre link : CVE-2017-9604

CVE.ORG link : CVE-2017-9604

JSON object : View

Products Affected

kde

kde
kmail
messagelib

CWE

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2017-9604", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2017-06-13T13:29:00.220", "references": [{"url": "https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8", "tags": ["Mailing List", "Patch", "Tool Signature"], "source": "cve@mitre.org"}, {"url": "https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197", "tags": ["Mailing List", "Patch", "Tool Signature"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network."}, {"lang": "es", "value": "KDE kmail anterior a la 5.5.2 y messagelib anterior a la 5.5.2, como distribuciones en aplicaciones KDE anteriores a la 17.04.2, no asegura que la acci\u00f3n de firma del plugin ocurre durante el uso de la caracter\u00edstica Send Later, lo que permite a un atacante remoto obtener informaci\u00f3n sensible mediante la observaci\u00f3n de la red."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kde:kmail:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AFE05B36-25E9-45C3-B954-23274FF27E23", "versionEndIncluding": "5.5.1"}, {"criteria": "cpe:2.3:a:kde:messagelib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFB5A70C-A555-4661-AD17-FFD7B8401A76", "versionEndIncluding": "5.5.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:kde:kde:17.04:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "65A3F3E7-0DD1-44DE-BE29-72C6CEA77327"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}