Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2014-8878 |
CWE-ID | CWE-310 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
kmail Client/Desktop applications / Other client software |
Vendor | KDE.org |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU38186
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-8878
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network.
MitigationInstall update from vendor's website.
Vulnerable software versionskmail: 4.11.5
External linkshttp://www.openwall.com/lists/oss-security/2015/07/16/10
http://www.securityfocus.com/bid/75986
http://bugs.kde.org/show_bug.cgi?id=340312
http://bugzilla.redhat.com/show_bug.cgi?id=1243777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.