CVE-2021-31855

Name of the Vulnerable Software and Affected Versions KDE Messagelib versions prior to 5.17.0

Description The issue is related to the incorrect handling of attachment deletion in decrypted encrypted messages stored on remote servers, such as IMAP servers. When a user deletes an attachment from a decrypted encrypted message, the decrypted content of the message is uploaded to the remote server. This could allow an attacker, with access to the messages on the email server, to read the decrypted content of the encrypted message. The problem is specifically found in the ViewerPrivate::deleteAttachment function in messageviewer/src/viewer/viewer p.cpp.

Recommendations For KDE Messagelib versions prior to 5.17.0, as a temporary workaround, consider disabling the deleteAttachment function in ViewerPrivate until a patch is available. Restrict access to the messageviewer/src/viewer/viewer p.cpp component to minimize the risk of exploitation. Avoid deleting attachments from decrypted encrypted messages stored on remote servers until the issue is resolved.