CVE-2019-7443

HIGH

KDE KAuth <5.55 - Code Injection

Title source: llm

Description

KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability.

References (6)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00060.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00065.html

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.suse.com/show_bug.cgi?id=1124863

[Patch, Vendor Advisory] https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAWLQKTUQJOAPXOFWJQAQCA4LVM2P45F/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXVUJNXB6QKGPT6YJPJSG3U2BIR5XK5Y/

Scores

CVSS v3 8.1

EPSS 0.0163

EPSS Percentile 81.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-20

Status published

Affected Products (6)

kde/kauth < 5.55.0

opensuse/leap

opensuse/leap

opensuse/backports

fedoraproject/fedora

fedoraproject/fedora

Timeline

Published May 07, 2019

Tracked Since Feb 18, 2026