CVE-2024-50624

Publication date 28 October 2024

Last updated 9 September 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.9 · Medium

Score breakdown

Description

ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard.

Read the notes from the security team

Status

Package Ubuntu Release Status
kmail 25.10 questing
Not affected
25.04 plucky
Not affected
24.10 oracular Ignored end of life, was needs-triage
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
kmail-account-wizard 25.10 questing
Not affected
25.04 plucky
Not affected
24.04 LTS noble
Fixed 4:23.08.5-0ubuntu3+esm1
22.04 LTS jammy
Fixed 4:21.12.3-0ubuntu1+esm1
20.04 LTS focal
Fixed 4:19.12.3-0ubuntu1+esm1
18.04 LTS bionic
Fixed 4:17.12.3-0ubuntu1+esm1
kdepim 25.10 questing Not in release
25.04 plucky Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
16.04 LTS xenial
Fixed 4:15.12.3-0ubuntu1.1+esm1
14.04 LTS trusty
Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

ej7367

For bionic and later, the vulnerable code is in src/ispdb/ispdb.cpp of kmail-account-wizard. For xenial, the vulnerable code is in accountwizard/ispdb/ispdb.cpp of kdepim. For trusty, the vulnerable code is in accountwizard/ispdb/ispdb.cpp of kdepim-runtime.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
kmail-account-wizard
kdepim

Severity score breakdown

Parameter Value
Base score 5.9 · Medium
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-7729-1
    • KDE PIM vulnerabilities
    • 2 September 2025
    • USN-7732-1
    • KMail Account Wizard vulnerability
    • 2 September 2025

Other references