usn-7729-1
Vulnerability from osv_ubuntu
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk discovered that the KMail application of KDE PIM could be made to leak the plaintext of S/MIME encrypted emails when retrieving external content in emails. Under certain configurations, if a user were tricked into opening a specially crafted email, an attacker could possibly use this issue to obtain the plaintext of an encrypted email. This update mitigates the issue by preventing KMail from automatically loading external content. (CVE-2017-17689)
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, and Jörg Schwenk discovered that the KMail application of KDE PIM could be made to leak the plaintext of S/MIME or PGP encrypted emails. If a user were tricked into replying to a specially crafted email, an attacker could possibly use this issue to obtain the plaintext of an encrypted email. (CVE-2019-10732)
It was discovered that the KMail application of KDE PIM could be made to attach files to an email without the user's knowledge. If a user were tricked into sending an email created by a specially crafted "mailto" link, an attacker could possibly use this issue to obtain sensitive files. This update mitigates the issue by displaying a warning to the user when files are attached in this way. (CVE-2020-11880)
It was discovered that the Account Wizard application of KDE PIM used HTTP rather than HTTPS when retrieving certain email server configurations. An attacker could possibly use this issue to cause email clients to use an attacker-controlled email server. This issue only affected Ubuntu 16.04 LTS. (CVE-2024-50624)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2017-17689",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-10732",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-11880",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "akonadiconsole",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "akregator",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "blogilo",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kaddressbook",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kaddressbook-mobile",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kalarm",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kde-config-pimactivity",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kdepim",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kdepim-kresources",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kdepim-mobile",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kdepim-mobileui-data",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kdepim-themeeditors",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kjots",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kleopatra",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kmail",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kmail-mobile",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "knode",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "knotes",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "konsolekalendar",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "kontact",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "korganizer",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "korganizer-mobile",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "ktimetracker",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "ktnef",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libcalendarsupport4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libcomposereditorng4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libeventviews4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libgrammar4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libincidenceeditorsng4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkdepim4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkdepimdbusinterfaces4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkdepimmobileui4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkdgantt2-0",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkleo4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkmanagesieve4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libkpgp4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libksieve4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libksieveui4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libmailcommon4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libmailimporter4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libmessagecomposer4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libmessagecore4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libmessagelist4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libmessageviewer4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libnoteshared4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libpimactivity4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libpimcommon4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libsendlater4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "libtemplateparser4",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "notes-mobile",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "storageservicemanager",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
},
{
"binary_name": "tasks-mobile",
"binary_version": "4:4.13.3-0ubuntu0.2+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "kdepim",
"purl": "pkg:deb/ubuntu/kdepim@4:4.13.3-0ubuntu0.2+esm1?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.13.3-0ubuntu0.2+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.11.2-0ubuntu1",
"4:4.11.2-0ubuntu2",
"4:4.11.80-0ubuntu1",
"4:4.11.95-0ubuntu1",
"4:4.11.97-0ubuntu1",
"4:4.12.0-0ubuntu1",
"4:4.12.1-0ubuntu1",
"4:4.12.2-0ubuntu1",
"4:4.12.3-0ubuntu1",
"4:4.12.90-0ubuntu1",
"4:4.12.90-0ubuntu2",
"4:4.12.95-0ubuntu1",
"4:4.12.97-0ubuntu1",
"4:4.13.0-0ubuntu1",
"4:4.13.1-0ubuntu0.1",
"4:4.13.2-0ubuntu0.1",
"4:4.13.3-0ubuntu0.1",
"4:4.13.3-0ubuntu0.2"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2017-17689",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-10732",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-11880",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-50624",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "accountwizard",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "akonadiconsole",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "akregator",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "blogilo",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kaddressbook",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kalarm",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kdepim",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kdepim-themeeditors",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kleopatra",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kmail",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "knotes",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "konsolekalendar",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "kontact",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "korganizer",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "ktnef",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5calendarsupport5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5composereditorng5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5eventviews5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5followupreminder5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5gravatar5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5incidenceeditorsng5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5kdepimdbusinterfaces5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5kdgantt2-5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5kmanagesieve5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5ksieve5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5ksieveui5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5libkdepim5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5libkleo5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5mailcommon5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5mailimporter5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5messagecomposer5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5messagecore5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5messagelist5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5messageviewer5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5noteshared5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5pimcommon5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5sendlater5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "libkf5templateparser5",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
},
{
"binary_name": "storageservicemanager",
"binary_version": "4:15.12.3-0ubuntu1.1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "kdepim",
"purl": "pkg:deb/ubuntu/kdepim@4:15.12.3-0ubuntu1.1+esm1?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:15.12.3-0ubuntu1.1+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:15.08.2-0ubuntu1",
"4:15.12.1-1ubuntu6",
"4:15.12.3-0ubuntu1",
"4:15.12.3-0ubuntu1.1"
]
}
],
"aliases": [],
"details": "Damian Poddebniak, Christian Dresen, Jens M\u00fcller, Fabian Ising,\nSebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and J\u00f6rg\nSchwenk discovered that the KMail application of KDE PIM could be made\nto leak the plaintext of S/MIME encrypted emails when retrieving\nexternal content in emails. Under certain configurations, if a user were\ntricked into opening a specially crafted email, an attacker could\npossibly use this issue to obtain the plaintext of an encrypted email.\nThis update mitigates the issue by preventing KMail from automatically\nloading external content. (CVE-2017-17689)\n\nJens M\u00fcller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel,\nand J\u00f6rg Schwenk discovered that the KMail application of KDE PIM could\nbe made to leak the plaintext of S/MIME or PGP encrypted emails. If a\nuser were tricked into replying to a specially crafted email, an\nattacker could possibly use this issue to obtain the plaintext of an\nencrypted email. (CVE-2019-10732)\n\nIt was discovered that the KMail application of KDE PIM could be made to\nattach files to an email without the user\u0027s knowledge. If a user\nwere tricked into sending an email created by a specially crafted\n\"mailto\" link, an attacker could possibly use this issue to obtain\nsensitive files. This update mitigates the issue by displaying a\nwarning to the user when files are attached in this way.\n(CVE-2020-11880)\n\nIt was discovered that the Account Wizard application of KDE PIM used\nHTTP rather than HTTPS when retrieving certain email server\nconfigurations. An attacker could possibly use this issue to cause email\nclients to use an attacker-controlled email server. This issue only\naffected Ubuntu 16.04 LTS. (CVE-2024-50624)",
"id": "USN-7729-1",
"modified": "2026-06-25T10:46:56Z",
"published": "2025-09-02T16:41:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7729-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-17689"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-10732"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-11880"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-50624"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "kdepim vulnerabilities",
"upstream": [
"UBUNTU-CVE-2017-17689",
"UBUNTU-CVE-2019-10732",
"UBUNTU-CVE-2020-11880",
"UBUNTU-CVE-2024-50624"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.