PatchSiren cyber security CVE debrief

CVE-2017-6410 Kde CVE debrief

CVE-2017-6410 is an information-disclosure issue in KDE’s PAC handling. In affected kio and kdelibs versions, a full HTTPS URL could be passed to the PAC FindProxyForURL function, which may expose sensitive data such as Basic Authentication credentials, query strings, or PATH_INFO to a crafted PAC file.

Vendor: Kde
Product: CVE-2017-6410
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Administrators and users running KDE kio before 5.32 or kdelibs before 4.14.30, especially in environments that use PAC files or proxy auto-configuration. Systems that may send URLs containing credentials or other sensitive components are the most relevant.

Technical summary

NVD describes the flaw in kpac/script.cpp: the PAC FindProxyForURL function is called with the full HTTPS URL instead of a sanitized form. Because the URL may include embedded credentials, query parameters, or PATH_INFO, a malicious PAC file can learn information that should not be exposed. NVD maps the weakness to CWE-319 and rates the issue CVSS 3.0 5.5 MEDIUM (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

Defensive priority

Medium. Patch impacted KDE components promptly if PAC-based proxy handling is used, especially on endpoints that might process URLs with sensitive path or credential data. The impact is confidentiality-only, but the data exposed can be high value.

Recommended defensive actions

Upgrade KDE kio to 5.32 or later, or kdelibs to 4.14.30 or later, depending on the deployed package set.
Review proxy auto-configuration usage and determine whether PAC files are trusted and necessary in the affected environment.
Check whether applications or workflows may place sensitive material in HTTPS URLs, including credentials, query strings, or PATH_INFO.
Prioritize patching on user-facing endpoints where users may interact with proxy settings or PAC-based network configuration.
Use the vendor advisory and distribution security notices to confirm the exact fixed package versions for your platform.

Evidence notes

The supplied NVD record states that kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 passes a full HTTPS URL to PAC FindProxyForURL, potentially exposing Basic Authentication credentials, query strings, or PATH_INFO. The same record lists CWE-319 and CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The CVE was published on 2017-03-02; the later 2026-05-13 modified timestamp in NVD metadata should not be treated as the disclosure date.

Official resources

CVE-2017-6410 CVE record
CVE.org
CVE-2017-6410 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

Publicly disclosed on 2017-03-02 per the CVE/NVD record. No KEV listing is present in the supplied data. NVD metadata was modified later on 2026-05-13, which is a record update date rather than the vulnerability’s original publication date.