CVE-2017-6410

kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
kdekdelibs
𝑥
≤ 4.14.29
kdekio
𝑥
≤ 5.31
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
kio
bullseye
5.78.0-5
fixed
bookworm
5.103.0-1+deb12u1
fixed
sid
5.115.0-8
fixed
trixie
5.115.0-8
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kde4libs
yakkety
Fixed 4:4.14.22-0ubuntu2.1
released
xenial
Fixed 4:4.14.16-0ubuntu3.1
released
trusty
Fixed 4:4.13.3-0ubuntu0.4
released
precise
Fixed 4:4.8.5-0ubuntu0.6
released
kio
yakkety
Fixed 5.26.0-0ubuntu2.1
released
xenial
Fixed 5.18.0-0ubuntu1.1
released
trusty
dne
precise
dne
Common Weakness Enumeration
References
http://www.debian.org/security/2017/dsa-3849
http://www.securityfocus.com/bid/96515
https://www.kde.org/info/security/advisory-20170228-1.txt
http://www.debian.org/security/2017/dsa-3849
http://www.securityfocus.com/bid/96515
https://www.kde.org/info/security/advisory-20170228-1.txt