Vulnerability Details : CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
Vulnerability category: Denial of service
Products affected by CVE-2023-24607
- cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-24607
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-24607
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
References for CVE-2023-24607
-
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
Permissions Required
-
https://codereview.qt-project.org/c/qt/qtbase/+/456216
ODBC SQL driver: deal with different sizes of SQLTCHAR correctly (I0bfcb66e) · Gerrit Code ReviewIssue Tracking
-
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
Permissions Required
-
https://www.qt.io/blog/tag/security
Qt Blog | SecurityRelease Notes
-
https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
SQL/ODBC: fix some users of toSQLTCHAR() to not assume identical UTF-… · qt/qtbase@aaf1381 · GitHubPatch;Third Party Advisory
-
https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
Security advisory: Qt SQL ODBC driver pluginProduct
-
https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html
[SECURITY] [DLA 3805-1] qtbase-opensource-src security update
Jump to