CVE-2019-7443 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2019-7443?

CVE-2019-7443 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-7443?

Check the references section above for vendor advisories and patch information. Affected products include: Kde Kauth, Opensuse Leap, Opensuse Backports, Suse Linux Enterprise, Fedoraproject Fedora.

Vulnerability Description

KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Kde	Kauth	< 5.55.0
Opensuse	Leap	15.0
Opensuse	Backports	-
Suse	Linux Enterprise	15.0
Fedoraproject	Fedora	28

Related Weaknesses (CWE)

CWE-20

References

http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00060.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00065.htmlMailing ListThird Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1124863Issue TrackingPatchThird Party Advisory
https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3fPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00060.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00065.htmlMailing ListThird Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1124863Issue TrackingPatchThird Party Advisory
https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3fPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2019-7443?

CVE-2019-7443 is a vulnerability with a CVSS score of 8.1 (HIGH). KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of a...

How severe is CVE-2019-7443?

CVE-2019-7443 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-7443?

Check the references section above for vendor advisories and patch information. Affected products include: Kde Kauth, Opensuse Leap, Opensuse Backports, Suse Linux Enterprise, Fedoraproject Fedora.