CVE-2024-50624: 
Linux Debian vulnerability analysis and mitigation

ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This vulnerability, identified as CVE-2024-50624, affects the kmail-account-wizard component (NVD).

The vulnerability stems from the use of plaintext HTTP requests in the KMail account wizard when retrieving mail server configuration files. The issue specifically exists in the ispdbservice.cpp component, which handles the autoconfig functionality. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N (NVD).

An attacker sharing the same network (such as a public Wi-Fi) could potentially perform a man-in-the-middle attack to intercept the plaintext HTTP traffic and manipulate the configuration data. This could lead to the use of an attacker-controlled mail server, potentially exposing sensitive email communications (KDE Bug Report).

The vulnerability has been fixed in KDE Kmail version 6.2.0. The fix involves implementing HTTPS for the autoconfig functionality, as documented in the patch commit. Users are advised to upgrade to version 6.2.0 or later to mitigate this vulnerability (KDE Commit).