Vulnerability Description
KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kde | Kde | 3.2 |
| Mandrakesoft | Mandrake Linux | 10.0 |
| Redhat | Fedora Core | core_2.0 |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2004-11/1292.html
- http://marc.info/?l=bugtraq&m=110178786809694&w=2
- http://marc.info/?l=bugtraq&m=110261063201488&w=2
- http://secunia.com/advisories/13477
- http://secunia.com/advisories/13486
- http://secunia.com/advisories/13560
- http://securitytracker.com/id?1012471
- http://www.ciac.org/ciac/bulletins/p-051.shtml
- http://www.gentoo.org/security/en/glsa/glsa-200412-16.xml
- http://www.kb.cert.org/vuls/id/305294Third Party AdvisoryUS Government Resource
- http://www.kde.org/info/security/advisory-20041209-1.txt
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:150
- http://www.osvdb.org/12248
- http://www.sec-consult.com/index.php?id=118
- http://www.securityfocus.com/bid/11866PatchVendor Advisory
FAQ
What is CVE-2004-1171?
CVE-2004-1171 is a vulnerability with a CVSS score of 2.1 (LOW). KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .d...
How severe is CVE-2004-1171?
CVE-2004-1171 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2004-1171?
Check the references section above for vendor advisories and patch information. Affected products include: Kde Kde, Mandrakesoft Mandrake Linux, Redhat Fedora Core.