CVE-2004-1171
First published: Fri Dec 10 2004(Updated: )
KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE KDE | =3.3.2 | |
| Red Hat Fedora Core | =core_2.0 | |
| KDE KDE | =3.3.1 | |
| KDE KDE | =3.2.2 | |
| KDE KDE | =3.2.1 | |
| Mandrake Linux | =10.1 | |
| KDE KDE | =3.3 | |
| Mandrake Linux | =10.0 | |
| KDE KDE | =3.2 | |
| KDE KDE | =3.2.3 | |
| Red Hat Fedora Core | =core_3.0 | |
| Mandrake Linux | =10.0 | |
| Mandrake Linux | =10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/11866
- http://www.kb.cert.org/vuls/id/305294
- http://www.sec-consult.com/index.php?id=118
- http://www.kde.org/info/security/advisory-20041209-1.txt
- http://archives.neohapsis.com/archives/fulldisclosure/2004-11/1292.html
- http://www.gentoo.org/security/en/glsa/glsa-200412-16.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:150
- http://www.ciac.org/ciac/bulletins/p-051.shtml
- http://www.osvdb.org/12248
- http://securitytracker.com/id?1012471
- http://secunia.com/advisories/13560
- http://secunia.com/advisories/13477
- http://secunia.com/advisories/13486
- http://marc.info/?l=bugtraq&m=110178786809694&w=2
- http://marc.info/?l=bugtraq&m=110261063201488&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18267
Frequently Asked Questions
What is the severity of CVE-2004-1171?
CVE-2004-1171 is considered a moderate severity vulnerability due to the potential exposure of sensitive user credentials.
How do I fix CVE-2004-1171?
To mitigate CVE-2004-1171, users should upgrade to a patched version of KDE that does not store credentials in plaintext within .desktop files.
Who is affected by CVE-2004-1171?
CVE-2004-1171 affects users of KDE versions 3.2.x and 3.3.0 through 3.3.2 as well as certain versions of Red Hat Fedora Core and Mandrake Linux.
What types of credentials are impacted by CVE-2004-1171?
CVE-2004-1171 impacts credentials that are manually entered by users or created by the SMB protocol handler, which are saved in plaintext.
What happens if I don't address CVE-2004-1171?
If CVE-2004-1171 is not addressed, local users may be able to read stored plaintext credentials, leading to potential unauthorized access.
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- vendor/kde
- product/kde
- canonical/kde kde
- vendor/redhat
- product/fedora core
- canonical/redhat fedora core
- vendor/mandrakesoft
- product/mandrake linux
- canonical/mandrakesoft mandrake linux
- agent/software-canonical-lookup-request
- collector/nvd-index
- version/kde kde/3.3.2
- canonical/red hat fedora core
- version/red hat fedora core/core_2.0
- version/kde kde/3.3.1
- version/kde kde/3.2.2
- version/kde kde/3.2.1
- canonical/mandrake linux
- version/mandrake linux/10.1
- version/kde kde/3.3
- version/mandrake linux/10.0
- version/kde kde/3.2
- version/kde kde/3.2.3
- version/red hat fedora core/core_3.0