#VU37559 Information disclosure in plasma-workspace - CVE-2018-6790

Cybersecurity Help s.r.o.

Published: 2018-02-07 | Updated: 2020-08-08

Vulnerability identifier: #VU37559

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-6790

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
plasma-workspace
Client/Desktop applications / Other client software

Vendor: KDE.org

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element.

Mitigation
Install update from vendor's website.

Vulnerable software versions

plasma-workspace: 5.0.0 - 5.11.95

External links
https://access.redhat.com/errata/RHSA-2019:2141
https://cgit.kde.org/plasma-workspace.git/commit/?id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c
https://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938
https://phabricator.kde.org/D10188
https://www.kde.org/announcements/plasma-5.11.5-5.12.0-changelog.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for KDE Plasma Workspaces

Fedora 26 update for plasma-workspace

Fedora 27 update for plasma-workspace

OpenSUSE Linux update for plasma5-workspace

Multiple vulnerabilities in KDE plasma-workspace