CVE-2020-35605

moderate-risk
Published 2020-12-21

The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message.

Do I need to act?

~
5.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Kitty

Affected Vendors

Debian Kovidgoyal

References (6)

Patch https://github.com/kovidgoyal/kitty/commit/82c137878c2b99100a3cdc1c0f0efea069313...
Exploit https://github.com/kovidgoyal/kitty/issues/3128
Third Party Advisory https://www.debian.org/security/2020/dsa-4819
Patch https://github.com/kovidgoyal/kitty/commit/82c137878c2b99100a3cdc1c0f0efea069313...
Exploit https://github.com/kovidgoyal/kitty/issues/3128
Third Party Advisory https://www.debian.org/security/2020/dsa-4819
47
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 8/34 · Low
Exposure 7/34 · Low