CVE-2022-25255
Publication date 16 February 2022
Last updated 24 July 2024
Ubuntu priority
In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| qt6-base | 24.04 LTS noble |
Needs evaluation
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| qtbase-opensource-src | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored |
Notes
mdeslaur
introduced by: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=28666d167aa8e602c0bea25ebc4d51b55005db13 which seems to have been introduced in Qt 5.10, not 5.9 as the CVE description suggests.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://download.qt.io/official_releases/qt/6.2/qprocess6-2.diff
- https://codereview.qt-project.org/c/qt/qtbase/+/393113
- https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
- https://codereview.qt-project.org/c/qt/qtbase/+/396020
- https://codereview.qt-project.org/c/qt/qtbase/+/394914
- https://www.cve.org/CVERecord?id=CVE-2022-25255