Unauthorized Command Execution in KDE KCron by KDE
CVE-2022-24986

7.8HIGH

Key Information:

Vendor: Kde
Status: Kcron
Vendor: CVE Published:; 26 February 2022

What is CVE-2022-24986?

KDE KCron versions up to 21.12.2 exhibit a significant security flaw due to improper file handling practices. When KCron saves files, it utilizes a temporary file in the /tmp directory and reuses the same filename across different editing sessions. As a result, an attacker could potentially monitor the file's creation and, during a subsequent session, exploit the reused filename to intercept and manipulate the data. This vulnerability could allow unauthorized command execution if an attacker can access this temporary file, thereby compromising the system's integrity.

References

https://apps.kde.org/kcron/

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/02/25/3

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2022
Vulnerability Reserved
Feb 14, 2022

CVE-2022-24986 Data

JSON

Kde

What is CVE-2022-24986?

References

CVSS V3.1

Timeline