#VU27617 Business Logic Errors in kio-extras - CVE-2020-12755
Published: May 11, 2020
Vulnerability identifier: #VU27617
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-12755
CWE-ID: CWE-840
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
kio-extras
kio-extras
Software vendor:
KDE.org
KDE.org
Description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to kio_fish stores the typed password in KWallet even if the user does not check the Remember box. The vulnerability resides within the fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0, which
makes a cacheAuthentication call even if the user had not set the keepPassword option.
This is considered a security issue by users who do not trust KWallet (e.g. because
passwords can be read in KWalletManager, given physical access) as it leads to to unintended KWallet storage of the password.
Remediation
Install updates from vendor's website.