CVE-2022-23853

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-23853
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23853.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-23853
Downstream
Related
Published
2022-02-11T18:15:11Z
Modified
2025-10-21T02:36:44Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.

References

Affected packages

Git / github.com/kde/ktexteditor

Affected ranges

Type
GIT
Repo
https://github.com/kde/ktexteditor
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "238586144986480626532833709200133741290",
                "321264450908815454991624304370483997886",
                "533132923391185586768305347793104077",
                "191062950574024170207223582195954912034",
                "321584593395951946643979361192568131635",
                "151741592845601697260363980219000843748",
                "221292836783817460721732364586259029542",
                "70043627418932480900997403024557776695",
                "130637371832924795471072035165570652036",
                "77626718899294420431270402301496590293",
                "55017138004392163704177016569998906216",
                "102517031888299665480528782166807256314",
                "64443272212020684957851278482482143061",
                "133387529773562028259119744561517782087",
                "288054100669052620460742831639042336037",
                "64063979376969515605511845968448362563",
                "230004093467815521533854681024360733288",
                "241813602750405824364283169698566135511",
                "287917169199113493420529118876408810527",
                "14494507464670949092959228683803050691",
                "29284449258618808058777154186713728648",
                "137704615252305715529815990500409386766",
                "317125311666467979444240175825734721949",
                "147867134434908753852438540516545238716"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/completion/katecompletionwidget.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-92688ad0"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "93378525550777421550787192846903506565",
            "length": 820.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "KateCompletionWidget::updatePosition",
            "file": "src/completion/katecompletionwidget.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-a0671e23"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "139860362279385471925127585635602708112",
            "length": 1776.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "KateArgumentHintTree::updateGeometry",
            "file": "src/completion/kateargumenthinttree.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-bc095b7c"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "34348533805185503108108725208470562816",
            "length": 2343.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "KateCompletionWidget::updateHeight",
            "file": "src/completion/katecompletionwidget.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-c01d2b26"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "99630337622307734428169713497274380325",
            "length": 2541.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "KateCompletionTree::resizeColumns",
            "file": "src/completion/katecompletiontree.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-cfc728a0"
    },
    {
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "16813898135728151144914715436509632797",
                "182595789043470505194494874426296881767",
                "76811293567851530834234124211584077364",
                "80192153237492499581107939306131881493",
                "316311362757031898365968893267475170677",
                "145501682396013724692043066399511502776",
                "78970012401483175822127533438575453829",
                "144222033472515843100367310002770695108",
                "43334530890740831561062131260534903218",
                "36954242338610629292806240278088245530",
                "312822749768514387574198676568973360265",
                "38175065674469722163134744211200900686",
                "7083531845288594042182095781204850090",
                "95960863841176289839734654644436689446",
                "162605001058781058456684454407437847444",
                "139414015957155870869465439377378190549",
                "139176827720294501052297392671943530244",
                "247474897071719230363219741217334798950",
                "71251652117527221690119074076278806621",
                "120339813483794198813526550628720139614",
                "122179965567685578162246973567487310180",
                "196916682824177175521938257623054676018",
                "202373989020915944314997828256814394910",
                "5326613089106529533513605972940186418",
                "36128289816673127253526735799658378728",
                "220280378657690008157062633487377744954"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/completion/kateargumenthinttree.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-e541477f"
    },
    {
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "110757248314581293424996004355125844224",
                "182595789043470505194494874426296881767",
                "76547390809316534903389748133410092316",
                "246764212299891021530602709165170827981",
                "243364683201379488504037485254980214201",
                "221196670583961259840966263925113797635",
                "29428052457269436452106346675406433990",
                "133536168867775705857773501582211343233"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/completion/katecompletiontree.cpp"
        },
        "source": "https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad",
        "id": "CVE-2022-23853-f14635f3"
    }
]