Vulnerability CVE-2019-10732

Vulnerability Name:

CVE-2019-10732 (CCN-160111)

Assigned:

2019-04-07

Published:

2019-04-07

Updated:

2022-04-05

Summary:

In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-319

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-10732

Source: CCN
Type: KDE Bugtracking System Bug 404698
Decryption Oracle based on replying to PGP or S/MIME encrypted emails

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://bugs.kde.org/show_bug.cgi?id=404698

Source: XF
Type: UNKNOWN
kdekmail-cve201910732-info-disc(160111)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20190618 [SECURITY] [DLA 1825-1] kdepim security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:kde:kmail:5.2.3:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:kde:kmail:5.2.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:112981	P	messagelib-21.08.1-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:100361	P	(Important)	2021-12-06
oval:org.opensuse.security:def:106428	P	messagelib-21.08.1-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:107027	P	Security update for messagelib (Moderate)	2021-02-02
oval:org.opensuse.security:def:11171	P	Security update for messagelib (Moderate)	2021-02-02
oval:org.opensuse.security:def:93648	P	Security update for messagelib (Moderate)	2021-02-02
oval:org.opensuse.security:def:110658	P	Security update for messagelib (Moderate)	2021-01-29
oval:com.ubuntu.cosmic:def:201910732000	V	CVE-2019-10732 on Ubuntu 18.10 (cosmic) - medium.	2019-04-07
oval:com.ubuntu.disco:def:2019107320000000	V	CVE-2019-10732 on Ubuntu 19.04 (disco) - medium.	2019-04-07
oval:com.ubuntu.bionic:def:201910732000	V	CVE-2019-10732 on Ubuntu 18.04 LTS (bionic) - medium.	2019-04-07
oval:com.ubuntu.cosmic:def:2019107320000000	V	CVE-2019-10732 on Ubuntu 18.10 (cosmic) - medium.	2019-04-07
oval:com.ubuntu.bionic:def:2019107320000000	V	CVE-2019-10732 on Ubuntu 18.04 LTS (bionic) - medium.	2019-04-07

BACK