{"id":"CVE-2022-23853","details":"The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.","modified":"2026-05-30T18:31:35.382621Z","published":"2022-02-11T00:00:00Z","related":["SUSE-SU-2022:0841-1","openSUSE-SU-2022:0841-1","openSUSE-SU-2024:11801-1","openSUSE-SU-2024:11813-1"],"database_specific":{"cna_assigner":"mitre","unresolved_ranges":[{"extracted_events":[{"fixed":"21.12.2"},{"fixed":"5.91.0"}],"source":"DESCRIPTION"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23853.json"},"references":[{"type":"WEB","url":"https://apps.kde.org/kate/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23853.json"},{"type":"ADVISORY","url":"https://kde.org/info/security/advisory-20220131-1.txt"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23853"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kde/ktexteditor","events":[{"introduced":"0"},{"fixed":"418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"}],"database_specific":{"cpe":"cpe:2.3:a:kde:ktexteditor:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"5.91.0"}]}}],"versions":["v5.91.0-rc1","v4.100.0-rc1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"id":"CVE-2022-23853-92688ad0","signature_type":"Line","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"file":"src/completion/katecompletionwidget.cpp"},"digest":{"line_hashes":["238586144986480626532833709200133741290","321264450908815454991624304370483997886","533132923391185586768305347793104077","191062950574024170207223582195954912034","321584593395951946643979361192568131635","151741592845601697260363980219000843748","221292836783817460721732364586259029542","70043627418932480900997403024557776695","130637371832924795471072035165570652036","77626718899294420431270402301496590293","55017138004392163704177016569998906216","102517031888299665480528782166807256314","64443272212020684957851278482482143061","133387529773562028259119744561517782087","288054100669052620460742831639042336037","64063979376969515605511845968448362563","230004093467815521533854681024360733288","241813602750405824364283169698566135511","287917169199113493420529118876408810527","14494507464670949092959228683803050691","29284449258618808058777154186713728648","137704615252305715529815990500409386766","317125311666467979444240175825734721949","147867134434908753852438540516545238716"],"threshold":0.9}},{"deprecated":false,"id":"CVE-2022-23853-a0671e23","signature_type":"Function","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"function":"KateCompletionWidget::updatePosition","file":"src/completion/katecompletionwidget.cpp"},"digest":{"function_hash":"93378525550777421550787192846903506565","length":820}},{"deprecated":false,"id":"CVE-2022-23853-bc095b7c","signature_type":"Function","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"function":"KateArgumentHintTree::updateGeometry","file":"src/completion/kateargumenthinttree.cpp"},"digest":{"function_hash":"139860362279385471925127585635602708112","length":1776}},{"deprecated":false,"id":"CVE-2022-23853-c01d2b26","signature_type":"Function","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"function":"KateCompletionWidget::updateHeight","file":"src/completion/katecompletionwidget.cpp"},"digest":{"function_hash":"34348533805185503108108725208470562816","length":2343}},{"deprecated":false,"id":"CVE-2022-23853-cfc728a0","signature_type":"Function","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"function":"KateCompletionTree::resizeColumns","file":"src/completion/katecompletiontree.cpp"},"digest":{"function_hash":"99630337622307734428169713497274380325","length":2541}},{"deprecated":false,"id":"CVE-2022-23853-e541477f","signature_type":"Line","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"file":"src/completion/kateargumenthinttree.cpp"},"digest":{"line_hashes":["16813898135728151144914715436509632797","182595789043470505194494874426296881767","76811293567851530834234124211584077364","80192153237492499581107939306131881493","316311362757031898365968893267475170677","145501682396013724692043066399511502776","78970012401483175822127533438575453829","144222033472515843100367310002770695108","43334530890740831561062131260534903218","36954242338610629292806240278088245530","312822749768514387574198676568973360265","38175065674469722163134744211200900686","7083531845288594042182095781204850090","95960863841176289839734654644436689446","162605001058781058456684454407437847444","139414015957155870869465439377378190549","139176827720294501052297392671943530244","247474897071719230363219741217334798950","71251652117527221690119074076278806621","120339813483794198813526550628720139614","122179965567685578162246973567487310180","196916682824177175521938257623054676018","202373989020915944314997828256814394910","5326613089106529533513605972940186418","36128289816673127253526735799658378728","220280378657690008157062633487377744954"],"threshold":0.9}},{"deprecated":false,"id":"CVE-2022-23853-f14635f3","signature_type":"Line","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad","signature_version":"v1","target":{"file":"src/completion/katecompletiontree.cpp"},"digest":{"line_hashes":["110757248314581293424996004355125844224","182595789043470505194494874426296881767","76547390809316534903389748133410092316","246764212299891021530602709165170827981","243364683201379488504037485254980214201","221196670583961259840966263925113797635","29428052457269436452106346675406433990","133536168867775705857773501582211343233"],"threshold":0.9}}],"vanir_signatures_modified":"2026-05-30T18:31:35Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23853.json"}}],"schema_version":"1.7.5"}