CVE-2022-41322Improper Encoding or Escaping of Output in Project Kitty

CWE-116Improper Encoding or Escaping of Output6 documents5 sources
Severity
7.8HIGHNVD
OSV9.8
EPSS
1.4%
top 19.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Kitty Project KittyKovidgoyal KittyDebian Kitty+1 more
Timeline
PublishedSep 23
Latest updateOct 5

Description

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

debiandebian/kitty< kitty 0.21.2-2 (bookworm)
NVDkitty_project/kitty< 0.26.2
Ubuntukovidgoyal/kitty< 0.15.0-1ubuntu0.2+1
Debiankitty_project/kitty< 0.19.3-1+deb11u1+3

Also affects: Fedora 36, 37

Patches

Patch: bugs.gentoo.orgPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
kitty vulnerabilities2022-10-05
GHSA
GHSA-5v8v-cp6r-mq7c: In Kitty before 02022-09-25
OSV
CVE-2022-41322: In Kitty before 02022-09-23

📋Vendor Advisories

2
Ubuntu
kitty vulnerabilities2022-10-05
Debian
CVE-2022-41322: kitty - In Kitty before 0.26.2, insufficient validation in the desktop notification esca...2022
CVE-2022-41322 — Kitty Project Kitty vulnerability | cvebase