CVE-2019-14744

Опубликовано: 07 авг. 2019

Источник: nvd

CVSS3: 7.8

CVSS2: 5.1

EPSS Низкий

Описание

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
Mailing List
Patch
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
Mailing List
Patch
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
Mailing List
Third Party Advisory
http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
Patch
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2019:2606
Third Party Advisory
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
https://seclists.org/bugtraq/2019/Aug/12
Mailing List
Third Party Advisory
https://seclists.org/bugtraq/2019/Aug/9
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/201908-07
Third Party Advisory
https://usn.ubuntu.com/4100-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4494
Third Party Advisory
https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
Press/Media Coverage
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
Mailing List
Patch
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
Mailing List
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:kde:kconfig:*:*:*:*:*:*:*:*

Версия до 5.61.0 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Конфигурация 4

cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Конфигурация 6

Одно из

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 79%

0.01309

Низкий

7.8 High

CVSS3

5.1 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

CVE-2019-14744

CVSS3: 7.8

ubuntu

больше 6 лет назад

CVE-2019-14744

CVSS3: 8.8

redhat

больше 6 лет назад

CVE-2019-14744

CVSS3: 7.8

debian

больше 6 лет назад

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and c ...

openSUSE-SU-2019:1851-2

suse-cvrf

больше 6 лет назад

Security update for kconfig, kdelibs4

openSUSE-SU-2019:1851-1

suse-cvrf

больше 6 лет назад

Security update for kconfig, kdelibs4

EPSS

Процентиль: 79%

0.01309

Низкий

7.8 High

CVSS3

5.1 Medium

CVSS2

Дефекты

CWE-78