Vulnerability Description
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kde | Plasma-Workspace | < 5.27.11.1 |
Related Weaknesses (CWE)
References
- https://github.com/KDE/plasma-workspace/tagsRelease Notes
- https://invent.kde.org/plasma/plasma-workspace/Product
- https://kde.org/info/security/advisory-20240531-1.txtVendor Advisory
- https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.htmlProduct
- https://github.com/KDE/plasma-workspace/tagsRelease Notes
- https://invent.kde.org/plasma/plasma-workspace/Product
- https://kde.org/info/security/advisory-20240531-1.txtVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/06/msg00002.html
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.htmlProduct
FAQ
What is CVE-2024-36041?
CVE-2024-36041 is a vulnerability with a CVSS score of 7.8 (HIGH). KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This all...
How severe is CVE-2024-36041?
CVE-2024-36041 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-36041?
Check the references section above for vendor advisories and patch information. Affected products include: Kde Plasma-Workspace.