An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element. External References: https://www.kde.org/info/security/advisory-20180208-1.txt
Created kde-workspace tracking bugs for this issue: Affects: fedora-all [bug 1543470] Created plasma-workspace tracking bugs for this issue: Affects: fedora-all [bug 1543471]
*** Bug 1542676 has been marked as a duplicate of this bug. ***
Upstream commit: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8&id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c Discussion around the upstream patch: https://phabricator.kde.org/D10188
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2141 https://access.redhat.com/errata/RHSA-2019:2141
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-6790