CVE-2017-6410

kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.

References

Affected packages

Git / github.com/kde/kdelibs

Affected ranges

Type

GIT

Repo

https://github.com/kde/kdelibs

Events

Introduced

Last affected

f635d3b2347b400b74f199f1904a5129def28890

Database specific

{
    "cpe": "cpe:2.3:a:kde:kdelibs:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.14.29"
        }
    ]
}

Affected versions

v3.*

v3.4.0-beta1

v3.4.0-beta2

v3.80.2

v3.80.3

v3.91

v3.92

v3.95

v3.96

v3.97

v4.*

v4.0.71

v4.0.80

v4.0.83

v4.10.90

v4.10.95

v4.13.80

v4.13.90

v4.13.95

v4.13.97

v4.14.0

v4.14.1

v4.14.10

v4.14.11

v4.14.12

v4.14.13

v4.14.14

v4.14.15

v4.14.16

v4.14.17

v4.14.18

v4.14.19

v4.14.2

v4.14.20

v4.14.21

v4.14.22

v4.14.23

v4.14.24

v4.14.25

v4.14.26

v4.14.27

v4.14.28

v4.14.29

v4.14.3

v4.14.4

v4.14.5

v4.14.6

v4.14.7

v4.14.8

v4.14.9

v4.4.80

v4.4.85

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6410.json"

Git / github.com/kde/kio

Affected ranges

Type

GIT

Repo

https://github.com/kde/kio

Events

Introduced

Last affected

0996491501b66ea0853ce4f2d42f15a44db38528

Database specific

{
    "cpe": "cpe:2.3:a:kde:kio:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.31"
        }
    ]
}

Affected versions

v4.*

v4.100.0-rc1

v4.95.0

v4.96.0

v4.97.0

v5.*

v5.31.0

v5.31.0-rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6410.json"