{"id":"CVE-2022-23853","details":"The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.","modified":"2026-03-20T04:15:30.015749Z","published":"2022-02-11T18:15:11.850Z","related":["MGASA-2023-0051","SUSE-SU-2022:0841-1","openSUSE-SU-2022:0841-1","openSUSE-SU-2024:11801-1","openSUSE-SU-2024:11813-1"],"references":[{"type":"ADVISORY","url":"https://apps.kde.org/kate/"},{"type":"ADVISORY","url":"https://kde.org/info/security/advisory-20220131-1.txt"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kde/ktexteditor","events":[{"introduced":"0"},{"fixed":"418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.91.0"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"21.12.2"}]}],"vanir_signatures":[{"deprecated":false,"id":"CVE-2022-23853-92688ad0","target":{"file":"src/completion/katecompletionwidget.cpp"},"signature_type":"Line","digest":{"line_hashes":["238586144986480626532833709200133741290","321264450908815454991624304370483997886","533132923391185586768305347793104077","191062950574024170207223582195954912034","321584593395951946643979361192568131635","151741592845601697260363980219000843748","221292836783817460721732364586259029542","70043627418932480900997403024557776695","130637371832924795471072035165570652036","77626718899294420431270402301496590293","55017138004392163704177016569998906216","102517031888299665480528782166807256314","64443272212020684957851278482482143061","133387529773562028259119744561517782087","288054100669052620460742831639042336037","64063979376969515605511845968448362563","230004093467815521533854681024360733288","241813602750405824364283169698566135511","287917169199113493420529118876408810527","14494507464670949092959228683803050691","29284449258618808058777154186713728648","137704615252305715529815990500409386766","317125311666467979444240175825734721949","147867134434908753852438540516545238716"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"},{"deprecated":false,"id":"CVE-2022-23853-a0671e23","target":{"file":"src/completion/katecompletionwidget.cpp","function":"KateCompletionWidget::updatePosition"},"signature_type":"Function","digest":{"length":820,"function_hash":"93378525550777421550787192846903506565"},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"},{"deprecated":false,"id":"CVE-2022-23853-bc095b7c","target":{"file":"src/completion/kateargumenthinttree.cpp","function":"KateArgumentHintTree::updateGeometry"},"signature_type":"Function","digest":{"length":1776,"function_hash":"139860362279385471925127585635602708112"},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"},{"deprecated":false,"id":"CVE-2022-23853-c01d2b26","target":{"file":"src/completion/katecompletionwidget.cpp","function":"KateCompletionWidget::updateHeight"},"signature_type":"Function","digest":{"length":2343,"function_hash":"34348533805185503108108725208470562816"},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"},{"deprecated":false,"id":"CVE-2022-23853-cfc728a0","target":{"file":"src/completion/katecompletiontree.cpp","function":"KateCompletionTree::resizeColumns"},"signature_type":"Function","digest":{"length":2541,"function_hash":"99630337622307734428169713497274380325"},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"},{"deprecated":false,"id":"CVE-2022-23853-e541477f","target":{"file":"src/completion/kateargumenthinttree.cpp"},"signature_type":"Line","digest":{"line_hashes":["16813898135728151144914715436509632797","182595789043470505194494874426296881767","76811293567851530834234124211584077364","80192153237492499581107939306131881493","316311362757031898365968893267475170677","145501682396013724692043066399511502776","78970012401483175822127533438575453829","144222033472515843100367310002770695108","43334530890740831561062131260534903218","36954242338610629292806240278088245530","312822749768514387574198676568973360265","38175065674469722163134744211200900686","7083531845288594042182095781204850090","95960863841176289839734654644436689446","162605001058781058456684454407437847444","139414015957155870869465439377378190549","139176827720294501052297392671943530244","247474897071719230363219741217334798950","71251652117527221690119074076278806621","120339813483794198813526550628720139614","122179965567685578162246973567487310180","196916682824177175521938257623054676018","202373989020915944314997828256814394910","5326613089106529533513605972940186418","36128289816673127253526735799658378728","220280378657690008157062633487377744954"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"},{"deprecated":false,"id":"CVE-2022-23853-f14635f3","target":{"file":"src/completion/katecompletiontree.cpp"},"signature_type":"Line","digest":{"line_hashes":["110757248314581293424996004355125844224","182595789043470505194494874426296881767","76547390809316534903389748133410092316","246764212299891021530602709165170827981","243364683201379488504037485254980214201","221196670583961259840966263925113797635","29428052457269436452106346675406433990","133536168867775705857773501582211343233"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/kde/ktexteditor/commit/418d4f1ec5dd709af38fb9d9e247b3e1c7bc83ad"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23853.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}