Multiple vulnerabilities in KDE plasma-workspace
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-6790 CVE-2018-6791 |
| CWE-ID | CWE-200 CWE-78 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
plasma-workspace Client/Desktop applications / Other client software |
| Vendor | KDE.org |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU37559
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-6790
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element.
MitigationInstall update from vendor's website.
Vulnerable software versionsplasma-workspace: 5.0.0 - 5.11.95
CPE2.3- cpe:2.3:a:kde_org:plasma-workspace:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:plasma-workspace:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:plasma-workspace:5.0.2:*:*:*:*:*:*:*
http://access.redhat.com/errata/RHSA-2019:2141
http://cgit.kde.org/plasma-workspace.git/commit/?id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c
http://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938
http://phabricator.kde.org/D10188
http://www.kde.org/announcements/plasma-5.11.5-5.12.0-changelog.php
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) OS Command Injection
EUVDB-ID: #VU37560
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-6791
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to execute arbitrary code.
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.
MitigationInstall update from vendor's website.
Vulnerable software versionsplasma-workspace: 5.0.0 - 5.11.95
CPE2.3- cpe:2.3:a:kde_org:plasma-workspace:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:plasma-workspace:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:plasma-workspace:5.0.2:*:*:*:*:*:*:*
http://bugs.kde.org/show_bug.cgi?id=389815
http://cgit.kde.org/plasma-workspace.git/commit/?id=9db872df82c258315c6ebad800af59e81ffb9212
http://www.debian.org/security/2018/dsa-4116
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
