Language Server Protocol Plugin Vulnerability in KDE Kate and KTextEditor
CVE-2022-23853

7.8HIGH

Key Information:

Vendor: Kde
Status: Ktexteditor; Kate
Vendor: CVE Published:; 11 February 2022

What is CVE-2022-23853?

The LSP plugin in KDE Kate and KTextEditor can lead to security issues due to its attempts to execute an LSP server binary when opening certain file types. If the binary is not in the PATH, it erroneously searches the directory of the opened file to find the binary, potentially introducing risks through untrusted directories. This flaw arises from a misunderstanding of the QProcess API, which could be exploited if a malicious file is opened.

References

https://apps.kde.org/kate/

https://kde.org/info/security/advisory-20220131-1.txt

https://security.gentoo.org/glsa/202401-21

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2022
Vulnerability Reserved
Jan 24, 2022

CVE-2022-23853 Data

JSON

Kde

What is CVE-2022-23853?

References

CVSS V3.1

Timeline