CVE-2024-50624

ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard.

References

Affected packages

Debian:11 / kmail-account-wizard

Package

Name: kmail-account-wizard
Purl: pkg:deb/debian/kmail-account-wizard?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4:20.08.3-1+deb11u1

Affected versions

4:20.*

4:20.08.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / kmail-account-wizard

Package

Name: kmail-account-wizard
Purl: pkg:deb/debian/kmail-account-wizard?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:22.*

4:22.12.3-1

4:22.12.3-2

4:22.12.3-3

4:24.*

4:24.08.0-1

4:24.08.2-1

4:24.12.0-1

4:24.12.0-2

4:24.12.2-1

4:24.12.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / kmail-account-wizard

Package

Name: kmail-account-wizard
Purl: pkg:deb/debian/kmail-account-wizard?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4:24.12.0-2

Affected versions

4:22.*

4:22.12.3-1

4:22.12.3-2

4:22.12.3-3

4:24.*

4:24.08.0-1

4:24.08.2-1

4:24.12.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}