Executive Summary
Summary | |
---|---|
Title | New kdelibs-crypto packages fix multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-361 | First vendor Publication | 2003-08-01 |
Vendor | Debian | Last vendor Modification | 2003-08-09 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Two vulnerabilities were discovered in kdelibs: - - CAN-2003-0459: KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. - - CAN-2003-0370: Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack. These vulnerabilities are described in the following security advisories from KDE: http://www.kde.org/info/security/advisory-20030729-1.txt http://www.kde.org/info/security/advisory-20030602-1.txt For the current stable distribution (woody) these problems have been fixed in version 2.2.2-6woody2. For the unstable distribution (sid) these problems have been fixed in kdelibs version 4:3.1.3-1. We recommend that you update your kdelibs-crypto package. |
Original Source
Url : http://www.debian.org/security/2003/dsa-361 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:411 | |||
Oval ID: | oval:org.mitre.oval:def:411 | ||
Title: | KDE Konqueror Userid/Password Disclosure Vulnerability | ||
Description: | KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2003-0459 | Version: | 2 |
Platform(s): | Red Hat Linux 9 | Product(s): | Konqueror |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 361-1 (kdelibs) File : nvt/deb_361_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
2538 | KDE does not validate the Common Name field Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack. |
2127 | KDE Konqueror HTTP REFERER Authentication Credential Leak KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-361.nasl - Type : ACT_GATHER_INFO |
2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2003-079.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2003-193.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2003-236.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:32:49 |
|