First published: Fri Dec 10 2004(Updated: )
KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
KDE Kde Beta 3 | =3.2 | |
KDE Kde Beta 3 | =3.2.1 | |
KDE Kde Beta 3 | =3.2.2 | |
KDE Kde Beta 3 | =3.2.3 | |
KDE Kde Beta 3 | =3.3 | |
KDE Kde Beta 3 | =3.3.1 | |
KDE Kde Beta 3 | =3.3.2 | |
Mandrake Linux | =10.0 | |
Mandrake Linux | =10.0 | |
Mandrake Linux | =10.1 | |
Mandrake Linux | =10.1 | |
Red Hat Fedora Core | =core_2.0 | |
Red Hat Fedora Core | =core_3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2004-1171 is considered a moderate severity vulnerability due to the potential exposure of sensitive user credentials.
To mitigate CVE-2004-1171, users should upgrade to a patched version of KDE that does not store credentials in plaintext within .desktop files.
CVE-2004-1171 affects users of KDE versions 3.2.x and 3.3.0 through 3.3.2 as well as certain versions of Red Hat Fedora Core and Mandrake Linux.
CVE-2004-1171 impacts credentials that are manually entered by users or created by the SMB protocol handler, which are saved in plaintext.
If CVE-2004-1171 is not addressed, local users may be able to read stored plaintext credentials, leading to potential unauthorized access.