KiTTY vulnerable to command injection via filename variable
CVE-2024-23749

7.8HIGH

Key Information:

Vendor

KiTTY

Status
Kitty
Vendor
CVE Published:
9 February 2024

What is CVE-2024-23749?

The vulnerability in KiTTY stems from insufficient input sanitization and validation of the filename variable, particularly in versions 0.76.1.13 and earlier. This flaw allows attackers to manipulate the filename input, leading to command injection. By exploiting this weakness, an attacker can inject malicious code through specially crafted filename entries during file retrieval operations. Such exploits can result in arbitrary code execution within the context of the application, emphasizing the need for stringent input validation and the implementation of secure coding practices to mitigate potential threats.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://packetstormsecurity.com/files/177031/KiTTY-0.76.1....
https://blog.defcesco.io/CVE-2024-23749
http://seclists.org/fulldisclosure/2024/Feb/13
mailing-list

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.