First published: Wed Aug 07 2019(Updated: )
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/kconfig | 5.78.0-4 5.103.0-2 5.115.0-2 | |
KDE KConfig | <5.61.0 | |
Debian Linux | =9.0 | |
Debian Linux | =10.0 | |
Red Hat Fedora | =29 | |
Red Hat Fedora | =30 | |
openSUSE Backports | =15.0-sp1 | |
Ubuntu | =16.04 | |
Ubuntu | =18.04 | |
Ubuntu | =19.04 | |
Red Hat Enterprise Linux Desktop | =7.0 | |
Red Hat Enterprise Linux Server | =7.0 | |
Red Hat Enterprise Linux Workstation | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-14744 is a vulnerability in KDE Frameworks KConfig that allows for code execution through malicious desktop files and configuration files.
CVE-2019-14744 has a severity rating of 7.8, which is considered high.
CVE-2019-14744 works by exploiting the mishandling of .desktop and .directory files in libKF5ConfigCore.so, allowing for code execution with minimal user interaction.
The remedy for CVE-2019-14744 is to update to KDE Frameworks KConfig version 5.61.0 or later.
You can find more information about CVE-2019-14744 in the references provided: [link1], [link2], [link3].