Impact: Important Public Date: 2019-08-12 CWE: CWE-454 Bugzilla: 1740138: CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-14744 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 8.8 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Package | State |
---|---|---|
Red Hat Enterprise Linux 7 | kdelibs | Under investigation |
Red Hat Enterprise Linux 6 | kdelibs | Under investigation |
Red Hat Enterprise Linux 5 | kdelibs | Under investigation |