CVE-2023-52723 - Vulnerability Details - OpenCVE

In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Kde	Libksieve

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/30/1
https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1
https://invent.kde.org/pim/libksieve/-/tags/v23.03.80
https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html
https://www.openwall.com/lists/oss-security/2024/04/25/1

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-04-29T00:00:00

Updated: 2024-08-02T23:11:35.036Z

Reserved: 2024-04-29T00:00:00

Link: CVE-2023-52723

Vulnrichment

Updated: 2024-04-29T14:50:20.412Z

NVD

Status : Awaiting Analysis

Published: 2024-04-29T06:15:06.983

Modified: 2024-11-21T08:40:26.517

Link: CVE-2023-52723

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-52723", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T23:11:35.036Z", "dateReserved": "2024-04-29T00:00:00", "datePublished": "2024-04-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T22:05:57.317544"}, "descriptions": [{"lang": "en", "value": "In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}, {"name": "[oss-security] 20240430 Re: libksieve (used by kmail/kontact) sent password as username", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"name": "[debian-lts-announce] 20240505 [SECURITY] [DLA 3809-1] libkf5ksieve security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T14:45:01.089397Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kde:libksieve:-:*:*:*:*:*:*:*"], "vendor": "kde", "product": "libksieve", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:22:40.824Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:35.036Z"}, "title": "CVE Program Container", "references": [{"url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1", "tags": ["x_transferred"]}, {"url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/25/1", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240430 Re: libksieve (used by kmail/kontact) sent password as username", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"name": "[debian-lts-announce] 20240505 [SECURITY] [DLA 3809-1] libkf5ksieve security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-52723", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-06-04T17:22:40.824Z", "dateReserved": "2024-04-29T00:00:00", "datePublished": "2024-04-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T22:05:57.317544"}, "descriptions": [{"lang": "en", "value": "In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}, {"name": "[oss-security] 20240430 Re: libksieve (used by kmail/kontact) sent password as username", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"name": "[debian-lts-announce] 20240505 [SECURITY] [DLA 3809-1] libkf5ksieve security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T14:45:01.089397Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kde:libksieve:-:*:*:*:*:*:*:*"], "vendor": "kde", "product": "libksieve", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T14:50:20.412Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value."}, {"lang": "es", "value": "En KDE libksieve anterior al 23.03.80, kmanagesieve/session.cpp coloca una contrase\u00f1a de texto plano en los registros del servidor porque a una variable de nombre de usuario se le asigna accidentalmente un valor de contrase\u00f1a."}], "id": "CVE-2023-52723", "lastModified": "2024-11-21T08:40:26.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-04-29T06:15:06.983", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"source": "cve@mitre.org", "url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"source": "cve@mitre.org", "url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}