Ubuntu.comUB:CVE-2019-14744CVE-2019-14744
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.7%
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
configuration files lead to code execution with minimal user interaction.
This relates to libKF5ConfigCore.so, and the mishandling of .desktop and
.directory files, as demonstrated by a shell command on an Icon line in a
.desktop file.
Bugs
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | kconfig | < 5.44.0-0ubuntu1.1 | UNKNOWN |
| ubuntu | 19.04 | noarch | kconfig | < 5.56.0-0ubuntu1.1 | UNKNOWN |
| ubuntu | 16.04 | noarch | kconfig | < 5.18.0-0ubuntu1.1 | UNKNOWN |
| ubuntu | 18.04 | noarch | kde4libs | < 4:4.14.38-0ubuntu3.1 | UNKNOWN |
| ubuntu | 19.04 | noarch | kde4libs | < 4:4.14.38-0ubuntu6.1 | UNKNOWN |
| ubuntu | 14.04 | noarch | kde4libs | < 4:4.13.3-0ubuntu0.5+esm1 | UNKNOWN |
| ubuntu | 16.04 | noarch | kde4libs | < 4:4.14.16-0ubuntu3.3 | UNKNOWN |
References
gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
kde.org/info/security/advisory-20190807-1.txt
launchpad.net/bugs/cve/CVE-2019-14744
nvd.nist.gov/vuln/detail/CVE-2019-14744
phabricator.kde.org/D22979
security-tracker.debian.org/tracker/CVE-2019-14744
ubuntu.com/security/notices/USN-4100-1
www.cve.org/CVERecord?id=CVE-2019-14744
www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
Related
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.7%