Vulnerability Name:

CVE-2003-0459 (CCN-12761)

Assigned:2003-07-29
Published:2003-07-29
Updated:2017-10-11
Summary:KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: BugTraq Mailing List, Tue Jul 29 2003 - 04:40:44 CDT
Konqueror Referrer Authentication Leak

Source: MITRE
Type: CNA
CVE-2003-0459

Source: CONECTIVA
Type: UNKNOWN
CLA-2003:747

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2003:747
kde

Source: FULLDISC
Type: UNKNOWN
20030729 KDE Security Advisory: Konqueror Referrer Authentication Leak

Source: BUGTRAQ
Type: UNKNOWN
20030802 [slackware-security] KDE packages updated (SSA:2003-213-01)

Source: CCN
Type: RHSA-2003-235
Updated KDE packages fix security issue

Source: CCN
Type: RHSA-2003-236
kdelibs security update

Source: DEBIAN
Type: UNKNOWN
DSA-361

Source: DEBIAN
Type: DSA-361
kdelibs-crypto -- several vulnerabilities

Source: CCN
Type: K Desktop Environment (KDE) Web site
K Desktop Environment Home (kde.org)

Source: CONFIRM
Type: UNKNOWN
http://www.kde.org/info/security/advisory-20030729-1.txt

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2003:079

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2003:235

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2003:236

Source: CCN
Type: BID-8297
KDE Konqueror HTTP REFERER Authentication Credential Leak Vulnerability

Source: CCN
Type: Slackware Security Advisory SSA:2003-213-01
KDE packages updated (SSA:2003-213-01)

Source: CCN
Type: TLSA-2003-45
Konqueror Referer Leaking Website Authentication Credentials

Source: TURBO
Type: UNKNOWN
TLSA-2003-45

Source: XF
Type: UNKNOWN
kde-konqueror-plaintext-password(12761)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:411

Source: SUSE
Type: SUSE-SA:2003:044
thttpd: remote privilege escalation/information leak

Source: SUSE
Type: SUSE-SA:2003:045
hylafax: remote code execution

Source: SUSE
Type: SUSE-SA:2003:046
sane: remote denial-of-service

Source: SUSE
Type: SUSE-SA:2003:047
bind8: cache poisoning/denial-of-service

Source: SUSE
Type: SUSE-SA:2003:049
Kernel brk() vulnerability: local root exploit

Source: SUSE
Type: SUSE-SA:2003:050
rsync: remote compromise

Vulnerable Configuration:Configuration 1:
  • cpe:/a:kde:konqueror:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror_embedded:0.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:analog_real-time_synthesizer:2.1.1-5:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:analog_real-time_synthesizer:2.2-11:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:analog_real-time_synthesizer:2.2-11:*:ia64:*:*:*:*:*
  • OR cpe:/a:redhat:kdebase:3.0.3-13:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:kdebase:3.0.3-13:*:i386_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:2.1.1-5:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:2.2-11:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:2.2-11:*:ia64:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:3.0.0-10:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:3.1-10:*:i386:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_devel:2.1.1-5:*:i386_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_devel:2.2-11:*:i386_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_devel:2.2-11:*:ia64_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_devel:3.0.0-10:*:i386_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_devel:3.0.3-8:*:i386_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_devel:3.1-10:*:i386_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_sound:2.1.1-5:*:i386_sound:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_sound:2.2-11:*:i386_sound:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_sound:2.2-11:*:ia64_sound:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_sound_devel:2.1.1-5:*:i386_sound_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_sound_devel:2.2-11:*:i386_sound_dev:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs_sound_devel:2.2-11:*:ia64_sound_dev:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:kde:konqueror:*:*:*:*:*:*:*:*
  • OR cpe:/a:kde:konqueror_embedded:*:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_database_server:*:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_connectivity_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_office_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:slackware:slackware_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:aw:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_school_server:-:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1::x86_64:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20030459
    V
    		CVE-2003-0459
    2015-11-16
    oval:org.debian:def:361
    V
    		several vulnerabilities
    2013-01-21
    oval:org.mitre.oval:def:411
    V
    		KDE Konqueror Userid/Password Disclosure Vulnerability
    2007-04-25
    BACK
    kde konqueror 2.1.1
    kde konqueror 2.2.2
    kde konqueror 3.0
    kde konqueror 3.0.1
    kde konqueror 3.0.2
    kde konqueror 3.0.3
    kde konqueror 3.0.5
    kde konqueror 3.1
    kde konqueror 3.1.1
    kde konqueror 3.1.2
    kde konqueror embedded 0.1
    redhat analog real-time synthesizer 2.1.1-5
    redhat analog real-time synthesizer 2.2-11
    redhat analog real-time synthesizer 2.2-11
    redhat kdebase 3.0.3-13
    redhat kdebase 3.0.3-13
    redhat kdelibs 2.1.1-5
    redhat kdelibs 2.2-11
    redhat kdelibs 2.2-11
    redhat kdelibs 3.0.0-10
    redhat kdelibs 3.1-10
    redhat kdelibs devel 2.1.1-5
    redhat kdelibs devel 2.2-11
    redhat kdelibs devel 2.2-11
    redhat kdelibs devel 3.0.0-10
    redhat kdelibs devel 3.0.3-8
    redhat kdelibs devel 3.1-10
    redhat kdelibs sound 2.1.1-5
    redhat kdelibs sound 2.2-11
    redhat kdelibs sound 2.2-11
    redhat kdelibs sound devel 2.1.1-5
    redhat kdelibs sound devel 2.2-11
    redhat kdelibs sound devel 2.2-11
    kde konqueror *
    kde konqueror embedded *
    redhat linux 7
    redhat linux 7.1
    redhat linux 7.2
    suse suse linux 7.3
    suse suse linux database server *
    suse suse linux connectivity server *
    suse suse linux 8.0
    conectiva linux 8.0
    redhat linux 7.3
    debian debian linux 3.0
    suse suse linux office server *
    redhat linux 8.0
    mandrakesoft mandrake linux 9.0
    suse suse linux 8.1
    suse linux enterprise server 8
    mandrakesoft mandrake linux corporate server 2.1
    mandrakesoft mandrake linux 9.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat linux 9.0
    slackware slackware linux 9.0
    suse suse linux 8.2
    redhat enterprise linux 2.1
    conectiva linux 9.0
    suse suse linux 9.0
    suse suse linux school server -
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 9.1
    mandrakesoft mandrake linux corporate server 2.1