CVE-2022-41322 In Kitty 0.26.2, invalid desktop notification escape sequence can lead to arbitrary code execution.
Previously, the terminal could be accessed even if the user clicked the notification to close it. This issue has been resolved in 0.26.2.
Kitty before 0.25.3 allows remote attackers to bypass authentication and obtain sensitive information via a maliciously crafted request. The user must visit a target site, then click on a notification.
Kitty before 0.25.3 allows remote attackers to bypass authentication and obtain sensitive information via a crafted request. The user must click on a notification that loads a malicious website.
In previous releases, a malicious website could be invoked if the user clicked on a notification. This issue has been resolved in 0.25.4.
CVE-2019-11820 2019-03-13 discovery discovered an issue with the permissions check in the mouse drag and drop functionality. An attacker can drag and drop a file from a remote location to the local file system and have that file executed.
Kitty before 0.26.1 allows remote attackers to bypass authentication and obtain sensitive information via a crafted request. The user must access sensitive information (e.g. SSH keys) on the target system.
Kitty before 0.24.0 allows remote attackers to bypass authentication and obtain sensitive information via a crafted request. The user must access SSH keys on the target system.
This issue has been resolved in 0.25.2.
CVE-2019-11821 2019-03-13 discovery discovered an issue
^^
In previous releases, a malicious website could be invoked if the user clicked on a notification. This issue has been resolved in 0.25.4.
Timeline
Published on: 09/23/2022 05:15:00 UTC
Last modified on: 09/29/2022 17:15:00 UTC
References
- https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2
- https://github.com/kovidgoyal/kitty/commit/f05783e64d5fa62e1aed603e8d69aced5e49824f
- https://sw.kovidgoyal.net/kitty/changelog/#detailed-list-of-changes
- https://bugs.gentoo.org/868543
- https://security.gentoo.org/glsa/202209-22
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41322