CVE-2017-6410
First published: Thu Mar 02 2017(Updated: )
kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE kdelibs3 | <=4.14.29 | |
| KDE kio | <=5.31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-6410?
CVE-2017-6410 is rated as important due to the potential exposure of sensitive information.
How do I fix CVE-2017-6410?
To fix CVE-2017-6410, upgrade KDE kio to version 5.32 or higher, and KDE kdelibs to version 4.14.30 or higher.
What vulnerabilities does CVE-2017-6410 exploit?
CVE-2017-6410 exploits a weakness in the handling of PAC files that could lead to sensitive data exposure.
Which software is affected by CVE-2017-6410?
CVE-2017-6410 affects KDE kdelibs versions prior to 4.14.30 and KDE kio versions prior to 5.32.
Can CVE-2017-6410 affect authentication credentials?
Yes, CVE-2017-6410 can potentially expose Basic Authentication credentials if included in the URL.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/kde
- canonical/kde kdelibs3
- version/kde kdelibs3/4.14.29
- canonical/kde kio
- version/kde kio/5.31