CVE-2024-1433: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability was discovered in KDE Plasma Workspace versions up to 5.93.0, identified as CVE-2024-1433. The vulnerability affects the EventPluginsManager::enabledPlugins function in the components/calendar/eventpluginsmanager.cpp file of the Theme File Handler component. The issue was disclosed on February 11, 2024, and allows manipulation of the pluginId argument to achieve path traversal (NVD).

The vulnerability exists in the EventPluginsManager::enabledPlugins function where improper validation of the pluginId parameter could lead to path traversal. The issue has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). A fix has been implemented in commit 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01 by using QDir::cleanPath to properly sanitize the pluginId input (Github Commit).

The vulnerability allows an attacker to load arbitrary .so library files as plasma calendar plugins through directory traversal. This could potentially lead to unauthorized file access and code execution within the context of the affected component. However, the impact is limited as it requires either write access to the user's home directory or the installation of third-party global themes (NVD).

The vulnerability has been patched in the KDE Plasma Workspace codebase through commit 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. The fix involves using QDir::cleanPath to properly sanitize the pluginId parameter. Users are recommended to update to a version that includes this patch (Github Commit).