CVE-2022-23853 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2022-23853?

CVE-2022-23853 has a CVSS score of 7.8 (HIGH). This vulnerability allows arbitrary code execution when KDE Kate or KTextEditor opens a file from an untrusted directory. If the required LSP server binary isn't in the system PATH, the software incorrectly executes it from the file's directory instead. Users of affected KDE text editor versions are at risk.

📋 TL;DR

This vulnerability allows arbitrary code execution when KDE Kate or KTextEditor opens a file from an untrusted directory. If the required LSP server binary isn't in the system PATH, the software incorrectly executes it from the file's directory instead. Users of affected KDE text editor versions are at risk.

💻 Affected Systems

Products:

KDE Kate
KTextEditor

Versions: Kate before 21.12.2, KTextEditor before 5.91.0

Operating Systems: Linux, Unix-like systems with KDE

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with LSP plugin enabled (default in many configurations). Requires opening files from untrusted directories.

📦 What is this software?

Kate by Kde

View all CVEs affecting Kate →

Ktexteditor by Kde

View all CVEs affecting Ktexteditor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with user privileges when opening a malicious file from an untrusted source (like downloads folder or network share).

🟠

Likely Case

Local privilege escalation or malware execution when opening files from untrusted directories.

🟢

If Mitigated

No impact if patched versions are used or if users only open files from trusted directories.

🌐 Internet-Facing: LOW - Requires user interaction to open malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files from network shares or email attachments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to open a malicious file from an untrusted directory containing a crafted LSP server binary.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kate 21.12.2+, KTextEditor 5.91.0+

Vendor Advisory: https://kde.org/info/security/advisory-20220131-1.txt

Restart Required: Yes

Instructions:

1. Update system package manager. 2. Run: sudo apt update && sudo apt upgrade kate ktexteditor (Debian/Ubuntu) OR sudo dnf update kate ktexteditor (Fedora/RHEL). 3. Restart Kate/KTextEditor applications.

🔧 Temporary Workarounds

Disable LSP plugin

linux

Temporarily disable the Language Server Protocol plugin to prevent the vulnerable code path.

In Kate: Settings → Configure Kate → Plugins → uncheck 'LSP Client'

Restrict file opening locations

all

Only open files from trusted directories and avoid opening files from downloads, temporary, or network shares.

🧯 If You Can't Patch

Disable LSP plugin in Kate/KTextEditor settings.
Implement application whitelisting to prevent execution of unauthorized binaries from user directories.

🔍 How to Verify

Check if Vulnerable:

Check Kate version: kate --version | grep -E '21\.(1[0-1]|12\.0|12\.1)' OR check KTextEditor version via package manager.

Check Version:

kate --version OR dpkg -l | grep kate OR rpm -q kate ktexteditor

Verify Fix Applied:

Verify version is Kate 21.12.2+ or KTextEditor 5.91.0+: kate --version | grep -E '21\.12\.[2-9]|22\.' OR dpkg -l | grep -E 'kate|ktexteditor'

📡 Detection & Monitoring

Log Indicators:

Process execution from user directories (like Downloads) with Kate/KTextEditor parent process.
Failed LSP server execution attempts from unusual locations.

Network Indicators:

None - local exploitation only

SIEM Query:

Process creation where parent_process_name contains 'kate' AND process_path contains user directories like '/home/*/Downloads/' OR '/tmp/'

📊 Metadata

CVE ID: CVE-2022-23853

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: February 11, 2022

Last Updated: November 21, 2024

🔗 References

https://apps.kde.org/kate/ Product,Vendor Advisory
https://kde.org/info/security/advisory-20220131-1.txt Vendor Advisory
https://security.gentoo.org/glsa/202401-21
https://apps.kde.org/kate/ Product,Vendor Advisory
https://kde.org/info/security/advisory-20220131-1.txt Vendor Advisory
https://security.gentoo.org/glsa/202401-21

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23853, you might also want to check these: