Vulnerability Details : CVE-2013-2074
kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted request that triggers an "internal server error," which includes the username and password in an error message.
Vulnerability category: Information leak
Products affected by CVE-2013-2074
- cpe:2.3:a:kde:kdelibs:*:*:*:*:*:*:*:*
- cpe:2.3:a:kde:kdelibs:4.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:kdelibs:4.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:kde:kdelibs:4.10.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-2074
0.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-2074
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-2074
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-2074
-
http://xorl.wordpress.com/2013/05/22/cve-2013-2074-kde-kdelibs-password-exposure/
CVE-2013-2074: KDE kdelibs Password Exposure | xorl %eax, %eax
-
http://www.openwall.com/lists/oss-security/2013/05/11/2
oss-security - Re: CVE request: password exposure in kdelibs when showing "internal server error" messages
-
https://bugzilla.redhat.com/show_bug.cgi?id=961981
961981 – (CVE-2013-2074) CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
-
https://bugs.kde.org/show_bug.cgi?id=319428
319428 – notifications about errors contain passwordVendor Advisory
-
http://ubuntu.com/usn/usn-1842-1
USN-1842-1: KDE-Libs vulnerability | Ubuntu security notices
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707776
#707776 - kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages - Debian Bug report logs
-
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp
kdelibs.git - The KDE Library
-
http://www.openwall.com/lists/oss-security/2013/05/10/4
oss-security - CVE request: password exposure in kdelibs when showing "internal server error" messages
Jump to