ID CVE-2014-3494 Type cve Reporter NVD Modified 2015-09-28T20:29:06
Description
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
{"title": "CVE-2014-3494", "reporter": "NVD", "enchantments": {"vulnersScore": 5.0}, "published": "2014-07-01T12:55:02", "cvelist": ["CVE-2014-3494"], "hash": "fd751646766c66b6749d941b7b0ca045eb3b0b7a72b0a1233d072efe01cb281b", "objectVersion": "1.2", "type": "cve", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3494", "bulletinFamily": "NVD", "id": "CVE-2014-3494", "history": [], "scanner": [], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "modified": "2015-09-28T20:29:06", "viewCount": 0, "cpe": ["cpe:/a:kde:kdelibs:4.12.2", "cpe:/a:kde:kdelibs:4.11.80", "cpe:/a:kde:kdelibs:4.13.1", "cpe:/a:kde:kdelibs:4.12.80", "cpe:/a:kde:kdelibs:4.10.97", "cpe:/a:kde:kdelibs:4.11.5", "cpe:/a:kde:kdelibs:4.12.1", "cpe:/a:kde:kdelibs:4.11.97", "cpe:/a:kde:kdelibs:4.12.5", "cpe:/a:kde:kdelibs:4.12.97", "cpe:/a:kde:kdelibs:4.11.3", "cpe:/a:kde:kdelibs:4.11.90", "cpe:/a:kde:kdelibs:4.12.4", "cpe:/a:kde:kdelibs:4.12.0", "cpe:/a:kde:kdelibs:4.13.0", "cpe:/a:kde:kdelibs:4.12.90", "cpe:/a:kde:kdelibs:4.11.4", "cpe:/a:kde:kdelibs:4.11.2", "cpe:/a:kde:kdelibs:4.11.95", "cpe:/a:kde:kdelibs:4.11.0", "cpe:/o:novell:opensuse:13.1", "cpe:/a:kde:kdelibs:4.12.95", "cpe:/a:kde:kdelibs:4.12.3", "cpe:/a:kde:kdelibs:4.11.1"], "edition": 1, "description": "kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.", "references": ["http://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html", "http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228f", "http://www.securityfocus.com/bid/68113", "http://www.kde.org/info/security/advisory-20140618-1.txt"], "lastseen": "2016-09-03T20:27:30", "assessment": {"system": "", "name": "", "href": ""}}
{"result": {"freebsd": [{"id": "4A114331-0D24-11E4-8DD2-5453ED2E2B49", "type": "freebsd", "title": "kdelibs4 -- KMail/KIO POP3 SSL Man-in-the-middle Flaw", "description": "\nRichard J. Moore reports:\n\nThe POP3 kioslave used by KMail will accept invalid\n\t certificates without presenting a dialog to the user due a\n\t bug that leads to an inability to display the dialog\n\t combined with an error in the way the result is checked.\nThis flaw allows an active attacker to perform MITM\n\t attacks against the ioslave which could result in the leakage of\n\t sensitive data such as the authentication details and the contents of\n\t emails.\n\n", "published": "2014-06-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/4a114331-0d24-11e4-8dd2-5453ed2e2b49.html", "cvelist": ["CVE-2014-3494"], "lastseen": "2016-09-26T17:24:24"}], "nessus": [{"id": "FEDORA_2014-7579.NASL", "type": "nessus", "title": "Fedora 20 : kdelibs-4.12.5-4.fc20 (2014-7579)", "description": "Fix security issue where POP3 kioslave silently accepted invalid SSL certificates.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-07-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76334", "cvelist": ["CVE-2014-3494"], "lastseen": "2017-10-29T13:39:51"}, {"id": "FEDORA_2014-7572.NASL", "type": "nessus", "title": "Fedora 19 : kdelibs-4.11.5-4.fc19 (2014-7572)", "description": "Fix security issue where POP3 kioslave silently accepted invalid SSL certificates.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-07-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76374", "cvelist": ["CVE-2014-3494"], "lastseen": "2017-10-29T13:35:44"}, {"id": "FREEBSD_PKG_4A1143310D2411E48DD25453ED2E2B49.NASL", "type": "nessus", "title": "FreeBSD : kdelibs4 -- KMail/KIO POP3 SSL Man-in-the-middle Flaw (4a114331-0d24-11e4-8dd2-5453ed2e2b49)", "description": "Richard J. Moore reports :\n\nThe POP3 kioslave used by KMail will accept invalid certificates without presenting a dialog to the user due a bug that leads to an inability to display the dialog combined with an error in the way the result is checked.\n\nThis flaw allows an active attacker to perform MITM attacks against the ioslave which could result in the leakage of sensitive data such as the authentication details and the contents of emails.", "published": "2014-07-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76543", "cvelist": ["CVE-2014-3494"], "lastseen": "2017-10-29T13:45:34"}, {"id": "OPENSUSE-2015-251.NASL", "type": "nessus", "title": "openSUSE Security Update : kdebase4-runtime / kdelibs4 / konversation / etc (openSUSE-2015-251)", "description": "KDE and QT were updated to fix security issues and bugs.\n\nThe following vulerabilities were fixed :\n\n - CVE-2014-0190: Malformed GIF files could have crashed QT based applications\n\n - CVE-2015-0295: Malformed BMP files could have crashed QT based applications\n\n - CVE-2014-8600: Multiple cross-site scripting (XSS) vulnerabilities in the KDE runtime could have allowed remote attackers to insert arbitrary web script or HTML via crafted URIs using one of several supported URL schemes\n\n - CVE-2014-8483: A missing size check in the Blowfish ECB could have lead to a crash of Konversation or 11 byte information leak\n\n - CVE-2014-3494: The KMail POP3 kioslave accepted invalid certifiates and allowed a man-in-the-middle (MITM) attack\n\nAdditionally, Konversation was updated to 1.5.1 to fix bugs.", "published": "2015-03-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82014", "cvelist": ["CVE-2014-3494", "CVE-2014-0190", "CVE-2014-8483", "CVE-2015-0295", "CVE-2014-8600"], "lastseen": "2017-10-29T13:42:16"}, {"id": "GENTOO_GLSA-201406-34.NASL", "type": "nessus", "title": "GLSA-201406-34 : KDE Libraries: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-201406-34 (KDE Libraries: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in KDE Libraries. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could cause a man-in-the-middle attack via any certificate issued by a legitimate certification authority. Furthermore, a local attacker may gain knowledge of user passwords through an information leak.\n Workaround :\n\n There is no known workaround at this time.", "published": "2014-06-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76305", "cvelist": ["CVE-2013-2074", "CVE-2014-3494", "CVE-2011-1094", "CVE-2011-3365"], "lastseen": "2017-10-29T13:36:05"}], "openvas": [{"id": "OPENVAS:1361412562310867935", "type": "openvas", "title": "Fedora Update for kdelibs FEDORA-2014-7579", "description": "Check for the Version of kdelibs", "published": "2014-07-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867935", "cvelist": ["CVE-2014-3494"], "lastseen": "2018-04-09T11:11:53"}, {"id": "OPENVAS:1361412562310867947", "type": "openvas", "title": "Fedora Update for kdelibs FEDORA-2014-7572", "description": "Check for the Version of kdelibs", "published": "2014-07-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867947", "cvelist": ["CVE-2014-3494"], "lastseen": "2018-04-09T11:14:09"}, {"id": "OPENVAS:1361412562310868372", "type": "openvas", "title": "Fedora Update for kdelibs FEDORA-2014-11348", "description": "Check the version of kdelibs", "published": "2014-10-11T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868372", "cvelist": ["CVE-2014-5033", "CVE-2014-3494"], "lastseen": "2017-07-31T10:49:01"}, {"id": "OPENVAS:1361412562310868320", "type": "openvas", "title": "Fedora Update for kdelibs FEDORA-2014-11448", "description": "Check for the Version of kdelibs", "published": "2014-10-01T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868320", "cvelist": ["CVE-2014-0191", "CVE-2014-5033", "CVE-2014-3494"], "lastseen": "2018-04-09T11:12:19"}, {"id": "OPENVAS:1361412562310121237", "type": "openvas", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201406-34", "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201406-34", "published": "2015-09-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121237", "cvelist": ["CVE-2013-2074", "CVE-2014-3494", "CVE-2011-1094", "CVE-2011-3365"], "lastseen": "2018-04-09T11:24:57"}], "gentoo": [{"id": "GLSA-201406-34", "type": "gentoo", "title": "KDE Libraries: Multiple vulnerabilities", "description": "### Background\n\nKDE is a feature-rich graphical desktop environment for Linux and Unix-like operating systems. KDE Libraries contains libraries needed by all KDE applications. \n\n### Description\n\nMultiple vulnerabilities have been discovered in KDE Libraries. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could cause a man-in-the-middle attack via any certificate issued by a legitimate certification authority. Furthermore, a local attacker may gain knowledge of user passwords through an information leak. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll KDE users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=kde-base/kdelibs-4.12.5-r1\"", "published": "2014-06-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://security.gentoo.org/glsa/201406-34", "cvelist": ["CVE-2013-2074", "CVE-2014-3494", "CVE-2011-1094", "CVE-2011-3365"], "lastseen": "2016-09-06T19:46:45"}]}}
