KiTTY vulnerable to command injection via filename variable
CVE-2024-23749

7.8HIGH

Key Information:

Vendor: KiTTY
Status: Kitty
Vendor: CVE Published:; 9 February 2024

What is CVE-2024-23749?

The vulnerability in KiTTY stems from insufficient input sanitization and validation of the filename variable, particularly in versions 0.76.1.13 and earlier. This flaw allows attackers to manipulate the filename input, leading to command injection. By exploiting this weakness, an attacker can inject malicious code through specially crafted filename entries during file retrieval operations. Such exploits can result in arbitrary code execution within the context of the application, emphasizing the need for stringent input validation and the implementation of secure coding practices to mitigate potential threats.

References

http://packetstormsecurity.com/files/177031/KiTTY-0.76.1....

https://blog.defcesco.io/CVE-2024-23749

http://seclists.org/fulldisclosure/2024/Feb/13

mailing-list

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2024
Vulnerability Reserved
Jan 21, 2024