Vulnerability Description
The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kde | Kate | < 21.12.2 |
| Kde | Ktexteditor | < 5.91.0 |
Related Weaknesses (CWE)
References
- https://apps.kde.org/kate/ProductVendor Advisory
- https://kde.org/info/security/advisory-20220131-1.txtVendor Advisory
- https://security.gentoo.org/glsa/202401-21
- https://apps.kde.org/kate/ProductVendor Advisory
- https://kde.org/info/security/advisory-20220131-1.txtVendor Advisory
- https://security.gentoo.org/glsa/202401-21
FAQ
What is CVE-2022-23853?
CVE-2022-23853 is a vulnerability with a CVSS score of 7.8 (HIGH). The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary...
How severe is CVE-2022-23853?
CVE-2022-23853 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23853?
Check the references section above for vendor advisories and patch information. Affected products include: Kde Kate, Kde Ktexteditor.