CVE-2013-2074 : kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted reque

kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted request that triggers an "internal server error," which includes the username and password in an error message.

Published 2014-02-05 19:55:29

Updated 2014-02-25 00:26:39

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2013-2074

Probability of exploitation activity in the next 30 days: 0.74%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 79 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-2074

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-2074

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-2074

http://xorl.wordpress.com/2013/05/22/cve-2013-2074-kde-kdelibs-password-exposure/

CVE-2013-2074: KDE kdelibs Password Exposure | xorl %eax, %eax
http://www.openwall.com/lists/oss-security/2013/05/11/2

oss-security - Re: CVE request: password exposure in kdelibs when showing "internal server error" messages
https://bugzilla.redhat.com/show_bug.cgi?id=961981

961981 – (CVE-2013-2074) CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
https://bugs.kde.org/show_bug.cgi?id=319428

319428 – notifications about errors contain password
Vendor Advisory
http://ubuntu.com/usn/usn-1842-1

USN-1842-1: KDE-Libs vulnerability | Ubuntu security notices
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707776

#707776 - kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages - Debian Bug report logs
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp

kdelibs.git - The KDE Library
http://www.openwall.com/lists/oss-security/2013/05/10/4

oss-security - CVE request: password exposure in kdelibs when showing "internal server error" messages

Products affected by CVE-2013-2074

KDE » Kdelibs
Versions up to, including, (<=) 4.10.3
cpe:2.3:a:kde:kdelibs:*:*:*:*:*:*:*:*
Matching versions
KDE » Kdelibs » Version: 4.10.1
cpe:2.3:a:kde:kdelibs:4.10.1:*:*:*:*:*:*:*
Matching versions
KDE » Kdelibs » Version: 4.10.2
cpe:2.3:a:kde:kdelibs:4.10.2:*:*:*:*:*:*:*
Matching versions
KDE » Kdelibs » Version: 4.10.0
cpe:2.3:a:kde:kdelibs:4.10.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-2074

Exploit prediction scoring system (EPSS) score for CVE-2013-2074

CVSS scores for CVE-2013-2074

CWE ids for CVE-2013-2074

References for CVE-2013-2074

Products affected by CVE-2013-2074