CVE-2017-6410

Impact:
Low
Public Date:
2017-02-28
CWE:
CWE-200
Bugzilla:
1427808: CVE-2017-6410 kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file

The MITRE CVE dictionary describes this issue as:

kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.

Find out more about CVE-2017-6410 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Adjacent Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 kdelibs Will not fix
Red Hat Enterprise Linux 6 kdelibs Will not fix
Red Hat Enterprise Linux 5 kdelibs Will not fix

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.