CVE-2024-36041
Publication date 3 June 2024
Last updated 24 July 2024
Ubuntu priority
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| plasma-workspace | 24.10 oracular |
Fixed 4:5.27.11.1-0ubuntu1
|
| 24.04 LTS noble |
Fixed 4:5.27.11-0ubuntu4.1
|
|
| 22.04 LTS jammy |
Fixed 4:5.24.7-0ubuntu0.2
|
|
| 20.04 LTS focal |
Fixed 4:5.18.8-0ubuntu0.2
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6843-1
- Plasma Workspace vulnerability
- 26 June 2024