A vulnerability was found in Kitty up to 0.19.2 and classified as problematic. Affected by this issue is some unknown functionality of the file graphics.c of the component Graphics Protocol Handler. The manipulation of the argument filename with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality. CVE summarizes:

The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message.

The weakness was presented 12/22/2020. The advisory is available at github.com. This vulnerability is handled as CVE-2020-35605. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1055 by the MITRE ATT&CK project.

Upgrading to version 0.19.3 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Kitty

Version

• 0.19.0
• 0.19.1
• 0.19.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion