usn-7731-1
Vulnerability from osv_ubuntu
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk discovered that KMail could be made to leak the plaintext of S/MIME encrypted emails when retrieving external content in emails. Under certain configurations, if a user were tricked into opening a specially crafted email, an attacker could possibly use this issue to obtain the plaintext of an encrypted email. This update mitigates the issue by preventing KMail from automatically loading external content. This issue only affected Ubuntu 18.04 LTS. (CVE-2017-17689)
It was discovered that KMail could be made to attach files to an email without the user's knowledge. If a user were tricked into sending an email created by a specially crafted "mailto" link, an attacker could possibly use this issue to obtain sensitive files. (CVE-2020-11880)
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2017-17689",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-11880",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "kmail",
"binary_version": "4:17.12.3-0ubuntu1+esm1"
},
{
"binary_name": "ktnef",
"binary_version": "4:17.12.3-0ubuntu1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "kmail",
"purl": "pkg:deb/ubuntu/kmail@4:17.12.3-0ubuntu1+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:17.12.3-0ubuntu1+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:17.04.3-0ubuntu1",
"4:17.08.3-0ubuntu1",
"4:17.08.3-0ubuntu2",
"4:17.12.2-0ubuntu1",
"4:17.12.3-0ubuntu1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2020-11880",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "kmail",
"binary_version": "4:19.12.3-0ubuntu1+esm1"
},
{
"binary_name": "ktnef",
"binary_version": "4:19.12.3-0ubuntu1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "kmail",
"purl": "pkg:deb/ubuntu/kmail@4:19.12.3-0ubuntu1+esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:19.12.3-0ubuntu1+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:19.04.3-0ubuntu2",
"4:19.04.3-0ubuntu3",
"4:19.12.3-0ubuntu1"
]
}
],
"aliases": [],
"details": "Damian Poddebniak, Christian Dresen, Jens M\u00fcller, Fabian Ising,\nSebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and J\u00f6rg\nSchwenk discovered that KMail could be made to leak the plaintext\nof S/MIME encrypted emails when retrieving external content in emails.\nUnder certain configurations, if a user were tricked into opening a\nspecially crafted email, an attacker could possibly use this issue to\nobtain the plaintext of an encrypted email. This update mitigates the\nissue by preventing KMail from automatically loading external content.\nThis issue only affected Ubuntu 18.04 LTS. (CVE-2017-17689)\n\nIt was discovered that KMail could be made to attach files to an email\nwithout the user\u0027s knowledge. If a user were tricked into sending an\nemail created by a specially crafted \"mailto\" link, an attacker could\npossibly use this issue to obtain sensitive files. (CVE-2020-11880)",
"id": "USN-7731-1",
"modified": "2026-02-10T04:49:48Z",
"published": "2025-09-02T19:13:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7731-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-17689"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-11880"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "kmail vulnerabilities",
"upstream": [
"UBUNTU-CVE-2017-17689",
"UBUNTU-CVE-2020-11880"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.