SB2014032103 - Information disclosure in KDE trojita
Published: March 21, 2014 Updated: August 10, 2020
Security Bulletin ID
SB2014032103
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2014-2567)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The OpenConnectionTask::handleStateHelper function in Imap/Tasks/OpenConnectionTask.cpp in Trojita before 0.4.1 allows man-in-the-middle attackers to trigger use of cleartext for saving a message into a (1) sent or (2) draft folder via a PREAUTH response that prevents later use of the STARTTLS command.
Remediation
Install update from vendor's website.