CVE-2023-52723 - Vulnerability Details - OpenCVE

Description

In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value.

Published: 2024-04-29

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-3809-1	libkf5ksieve security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/30/1
https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1
https://invent.kde.org/pim/libksieve/-/tags/v23.03.80
https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html
https://www.openwall.com/lists/oss-security/2024/04/25/1

History

No history.

Subscriptions

Kde Libksieve

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-04-29T00:00:00.000Z

Updated: 2024-08-02T23:11:35.036Z

Reserved: 2024-04-29T00:00:00.000Z

Link: CVE-2023-52723

Vulnrichment

Updated: 2024-04-29T14:50:20.412Z

NVD

Status : Deferred

Published: 2024-04-29T06:15:06.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2023-52723

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-798

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-52723", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T23:11:35.036Z", "dateReserved": "2024-04-29T00:00:00.000Z", "datePublished": "2024-04-29T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T22:05:57.317Z"}, "descriptions": [{"lang": "en", "value": "In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}, {"name": "[oss-security] 20240430 Re: libksieve (used by kmail/kontact) sent password as username", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"name": "[debian-lts-announce] 20240505 [SECURITY] [DLA 3809-1] libkf5ksieve security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T14:45:01.089397Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kde:libksieve:-:*:*:*:*:*:*:*"], "vendor": "kde", "product": "libksieve", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:22:40.824Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:35.036Z"}, "title": "CVE Program Container", "references": [{"url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1", "tags": ["x_transferred"]}, {"url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/25/1", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240430 Re: libksieve (used by kmail/kontact) sent password as username", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"name": "[debian-lts-announce] 20240505 [SECURITY] [DLA 3809-1] libkf5ksieve security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-52723", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-06-04T17:22:40.824Z", "dateReserved": "2024-04-29T00:00:00", "datePublished": "2024-04-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T22:05:57.317544"}, "descriptions": [{"lang": "en", "value": "In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}, {"name": "[oss-security] 20240430 Re: libksieve (used by kmail/kontact) sent password as username", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"name": "[debian-lts-announce] 20240505 [SECURITY] [DLA 3809-1] libkf5ksieve security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T14:45:01.089397Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kde:libksieve:-:*:*:*:*:*:*:*"], "vendor": "kde", "product": "libksieve", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T14:50:20.412Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value."}, {"lang": "es", "value": "En KDE libksieve anterior al 23.03.80, kmanagesieve/session.cpp coloca una contrase\u00f1a de texto plano en los registros del servidor porque a una variable de nombre de usuario se le asigna accidentalmente un valor de contrase\u00f1a."}], "id": "CVE-2023-52723", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-04-29T06:15:06.983", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"source": "cve@mitre.org", "url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"source": "cve@mitre.org", "url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/30/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://invent.kde.org/pim/libksieve/-/tags/v23.03.80"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.openwall.com/lists/oss-security/2024/04/25/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}