Published: 21/12/2020 Updated: 01/09/2022

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The Graphics Protocol feature in graphics.c in kitty prior to 0.19.3 allows remote malicious users to execute arbitrary code because a filename containing special characters can be included in an error message.

Vulnerable Product	Search on Vulmon	Subscribe to Product
kitty project kitty
debian debian linux 10.0

kitty could be made to run programs if it opened a specially crafted image or desktop notification ...

Stephane Chauveau discovered that the graphics protocol implementation in Kitty, a GPU-based terminal emulator, did not sanitise a filename when returning an error message, which could result in the execution of arbitrary shell commands when displaying a file with cat For the stable distribution (buster), this problem has been fixed in version 01 ...

The Graphics Protocol feature in graphicsc in kitty before 0193 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message ...

NVD-CWE-Other https://github.com/kovidgoyal/kitty/issues/3128 https://github.com/kovidgoyal/kitty/commit/82c137878c2b99100a3cdc1c0f0efea069313901 https://www.debian.org/security/2020/dsa-4819 https://nvd.nist.gov https://ubuntu.com/security/notices/USN-5659-1 https://www.debian.org/security/2020/dsa-4819

CVE-2020-35605

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect