KDE Arianna Bookserver File Read Vulnerability via Socket Connection

A file read vulnerability has been identified in KDE Arianna versions prior to 26.04.1. The issue arises in the bookserver component, which allows attackers to access files over a socket connection by guessing the URL. This vulnerability can be exploited by users on the same local network or on the same system, depending on the trustworthiness of the users.

Impact

Exploitation of this vulnerability allows for unauthorized file access over the local network or via a socket connection, depending on the user's environment.

Reproduction

The vulnerability can be reproduced by running KDE Arianna on a system or local network. Once the application is active, files can be accessed by guessing the URLs, taking advantage of the bookserver's exposed socket connection.

Remediation

Users are advised to update to KDE Arianna version 26.04.1 or later. If an immediate update is not possible, the application should not be used on local networks or systems with untrusted users.