CVE-2017-6410

kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.

References

Affected packages

Git / github.com/kde/kdelibs

Affected ranges

Type

GIT

Repo

https://github.com/kde/kdelibs

Events

Introduced

Last affected

f635d3b2347b400b74f199f1904a5129def28890

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.14.29"
        }
    ]
}

Type

GIT

Repo

https://github.com/kde/kio

Events

Introduced

Last affected

0996491501b66ea0853ce4f2d42f15a44db38528

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.31"
        }
    ]
}

Affected versions

v3.*

v3.4.0-beta1

v3.4.0-beta2

v3.80.2

v3.80.3

v3.91

v3.92

v3.95

v3.96

v3.97

v4.*

v4.0.71

v4.0.80

v4.0.83

v4.10.90

v4.10.95

v4.100.0-rc1

v4.13.80

v4.13.90

v4.13.95

v4.13.97

v4.14.0

v4.14.1

v4.14.10

v4.14.11

v4.14.12

v4.14.13

v4.14.14

v4.14.15

v4.14.16

v4.14.17

v4.14.18

v4.14.19

v4.14.2

v4.14.20

v4.14.21

v4.14.22

v4.14.23

v4.14.24

v4.14.25

v4.14.26

v4.14.27

v4.14.28

v4.14.29

v4.14.3

v4.14.4

v4.14.5

v4.14.6

v4.14.7

v4.14.8

v4.14.9

v4.4.80

v4.4.85

v4.95.0

v4.96.0

v4.97.0

v5.*

v5.31.0

v5.31.0-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6410.json"