CVE-2022-23853
Last modified
CVE-2022-23853 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). EPSS estimates a 0.88% chance of exploitation in the next 30 days.
Description
The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Kde | Kate | < 21.12.2 |
| Kde | Ktexteditor | < 5.91.0 |
References
- https://apps.kde.org/kate/Product, Vendor Advisory
- https://kde.org/info/security/advisory-20220131-1.txtVendor Advisory
- https://apps.kde.org/kate/Product, Vendor Advisory
- https://kde.org/info/security/advisory-20220131-1.txtVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-23853?
How severe is CVE-2022-23853?
How do I fix CVE-2022-23853?
Are you affected by CVE-2022-23853?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST