Upstream information
Description
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| CVSS detail | National Vulnerability Database |
|---|---|
| Base Score | 7.2 |
| Vector | AV:L/AC:L/Au:N/C:C/I:C/A:C |
| Access Vector | Local |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Complete |
| Integrity Impact | Complete |
| Availability Impact | Complete |
| CVSS detail | National Vulnerability Database |
|---|---|
| Base Score | 6.8 |
| Vector | CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Physical |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CVSSv3 Version | 3 |
SUSE Security Advisories:
- openSUSE-SU-2018:0397-1, published Fri Dec 8 15:48:39 2023
- openSUSE-SU-2018:0398-1, published Fri Dec 8 15:48:39 2023
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Package Hub 12 SP3 |
| Patchnames: openSUSE-2018-147 |
SUSE Timeline for this CVE
CVE page created: Wed Feb 7 08:32:50 2018CVE page last modified: Mon Oct 6 19:15:48 2025