Vulnerabilities > CVE-2018-10361 - Exposure of Resource to Wrong Sphere vulnerability in KDE Ktexteditor

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

kde

CWE-668

NVD

Published: 2018-04-25

Updated: 2019-10-03

Summary

An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor's kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The attack occurs when one user (who has an unprivileged account but is also able to authenticate as root) writes a text file using Kate into a directory owned by a another unprivileged user. The latter unprivileged user conducts a symlink attack to achieve privilege escalation.

Vulnerable Configurations

Part	Description	Count
Application	Kde KDE Ktexteditor 5.34.0 KDE Ktexteditor 5.35.0 KDE Ktexteditor 5.36.0 KDE Ktexteditor 5.37.0 KDE Ktexteditor 5.38.0 KDE Ktexteditor 5.39.0 KDE Ktexteditor 5.40.0 KDE Ktexteditor 5.41.0 KDE Ktexteditor 5.42.0 KDE Ktexteditor 5.43.0 KDE Ktexteditor 5.44.0 KDE Ktexteditor 5.45.0	24

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References