CVE-2019-14744

MEDIUM

Description

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html

http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html

https://access.redhat.com/errata/RHSA-2019:2606

https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/

https://lists.fedoraproject.org/archives/list/[email protected]/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/

https://lists.fedoraproject.org/archives/list/[email protected]/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/

https://lists.fedoraproject.org/archives/list/[email protected]/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/

https://seclists.org/bugtraq/2019/Aug/12

https://seclists.org/bugtraq/2019/Aug/9

https://security.gentoo.org/glsa/201908-07

https://usn.ubuntu.com/4100-1/

https://www.debian.org/security/2019/dsa-4494

https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/

Details

Source: MITRE

Published: 2019-08-07

Updated: 2019-08-15

Type: CWE-77

Risk Information

CVSS v2.0

Base Score: 5.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 4.9

Severity: MEDIUM

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH