SB2025090337 - Ubuntu update for kmail

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025090337

SB2025090337 - Ubuntu update for kmail

Published: September 3, 2025

Security Bulletin ID SB2025090337
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2017-17689)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper access controls. A remote attacker with access to a target user's S/MIME encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.

This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".


2) Input validation error (CVE-ID: CVE-2020-11880)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value.


Remediation

Install update from vendor's website.

References