Candidate: CVE-2021-31855
PublicDate: 2021-06-02 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31855
 https://kde.org/info/security/advisory-20210429-1.txt
 https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799
Description:
 KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in
 some situations. Deleting an attachment of a decrypted encrypted message
 stored on a remote server (e.g., an IMAP server) causes KMail to upload the
 decrypted content of the message to the remote server. With a crafted
 message, a user could be tricked into decrypting an encrypted message and
 then deleting an attachment attached to this message. If the attacker has
 access to the messages stored on the email server, then the attacker could
 read the decrypted content of the encrypted message. This occurs in
 ViewerPrivate::deleteAttachment in messageviewer/src/viewer/viewer_p.cpp.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989438
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_kf5-messagelib:
upstream_kf5-messagelib: needs-triage
trusty_kf5-messagelib: ignored (out of standard support)
trusty/esm_kf5-messagelib: DNE
xenial_kf5-messagelib: ignored (out of standard support)
bionic_kf5-messagelib: needs-triage
focal_kf5-messagelib: needs-triage
groovy_kf5-messagelib: ignored (reached end-of-life)
hirsute_kf5-messagelib: ignored (reached end-of-life)
impish_kf5-messagelib: needs-triage
jammy_kf5-messagelib: needs-triage
devel_kf5-messagelib: needs-triage

Patches_kdepim4:
upstream_kdepim4: needs-triage
trusty_kdepim4: ignored (out of standard support)
trusty/esm_kdepim4: DNE
xenial_kdepim4: ignored (out of standard support)
bionic_kdepim4: needs-triage
focal_kdepim4: DNE
groovy_kdepim4: DNE
hirsute_kdepim4: DNE
impish_kdepim4: DNE
jammy_kdepim4: DNE
devel_kdepim4: DNE