CVE-2022-24986: Race Condition
First published: Sat Feb 26 2022(Updated: )
KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE KCron | <=21.12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-24986?
CVE-2022-24986 is a vulnerability in KDE KCron through version 21.12.2 that allows an attacker to intercept and run unauthorized commands.
How does CVE-2022-24986 work?
CVE-2022-24986 occurs because KDE KCron uses a temporary file in /tmp when saving, but reuses the filename during an editing session, allowing an attacker to intercept the file and run unauthorized commands.
What is the severity of CVE-2022-24986?
The severity of CVE-2022-24986 is high, with a CVSS score of 7.8.
How can I fix CVE-2022-24986?
To fix CVE-2022-24986, update KDE KCron to version 21.12.3 or later.
Where can I find more information about CVE-2022-24986?
You can find more information about CVE-2022-24986 at the following references: [1](http://www.openwall.com/lists/oss-security/2022/02/25/3), [2](https://apps.kde.org/kcron/)
- collector/nvd-api
- collector/nvd-index
- agent/references
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- agent/tags
- agent/source
- vendor/kde
- canonical/kde kcron
- version/kde kcron/21.12.2