CVE-2019-14744

high

Description

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

References

https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/

https://www.debian.org/security/2019/dsa-4494

https://usn.ubuntu.com/4100-1/

https://security.gentoo.org/glsa/201908-07

https://seclists.org/bugtraq/2019/Aug/9

https://seclists.org/bugtraq/2019/Aug/12

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/

https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html

https://access.redhat.com/errata/RHSA-2019:2606

http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html

Details

Source: Mitre, NVD

Published: 2019-08-07

Risk Information

CVSS v2

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High