Vulnerability Details : CVE-2019-14744
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
Products affected by CVE-2019-14744
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:kde:kconfig:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14744
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14744
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-14744
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14744
-
https://usn.ubuntu.com/4100-1/
USN-4100-1: KConfig and KDE libraries vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
Unpatched KDE vulnerability disclosed on Twitter | ZDNetPress/Media Coverage;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html
[SECURITY] [DLA 1890-1] kde4libs security updateMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
Slackware Security Advisory - kdelibs Updates ≈ Packet StormPatch;Third Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2019:2606
RHSA-2019:2606 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
[security-announce] openSUSE-SU-2019:1855-1: important: Security updateMailing List;Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
[SECURITY] Fedora 30 Update: kdelibs3-3.5.10-101.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
[SECURITY] Fedora 30 Update: kdelibs-4.14.38-15.fc30 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Aug/12
Bugtraq: [SECURITY] [DSA 4494-1] kconfig security updateMailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Aug/9
Bugtraq: [slackware-security] kdelibs (SSA:2019-220-01)Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
[SECURITY] Fedora 29 Update: kde-settings-29.1-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4494
Debian -- Security Information -- DSA-4494-1 kconfigThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
[security-announce] openSUSE-SU-2019:1851-1: important: Security updateMailing List;Patch;Third Party Advisory
-
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
Exploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
[SECURITY] Fedora 29 Update: kdelibs3-3.5.10-101.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
[security-announce] openSUSE-SU-2019:1898-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
[SECURITY] Fedora 30 Update: kf5-kconfig-5.59.0-1.fc30.1 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://security.gentoo.org/glsa/201908-07
KDE KConfig: User-assisted execution of arbitrary code (GLSA 201908-07) — Gentoo securityThird Party Advisory
Jump to