CVE-2018-19120

NameCVE-2018-19120
DescriptionThe HTML thumbnailer plugin in KDE Applications before 18.12.0 allows attackers to trigger outbound TCP connections to arbitrary IP addresses, leading to disclosure of the source IP address.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs913595, 913596

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kde-runtime (PTS)jessie4:4.14.2-2vulnerable
stretch4:16.08.3-2vulnerable
bullseye, buster, sid4:17.08.3-2.1vulnerable
kio-extras (PTS)stretch4:16.08.3-1vulnerable
bullseye, buster, sid4:18.08.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kde-runtimesource(unstable)(unfixed)medium913596
kio-extrassource(unstable)4:18.08.3-1medium913595

Notes

[stretch] - kio-extras <no-dsa> (Minor issue)
[buster] - kde-runtime <no-dsa> (Minor issue)
[stretch] - kde-runtime <no-dsa> (Minor issue)
[jessie] - kde-runtime <ignored> (Minor issue)
https://www.kde.org/info/security/advisory-20181012-1.txt

Search for package or bug name: Reporting problems