Dependency-Check Report

Dependency	Vulnerability IDs	Highest Severity	CVE Count	Confidence	Evidence Count
JEasyCTEP-3.2.0.jar			0		13
Qt5CoreEik.dll	cpe:2.3:a:qt:qt:5:::::::*	CRITICAL	21	High	4
Qt5NetworkEik.dll	cpe:2.3:a:qt:qt:5:::::::*	CRITICAL	21	High	4
Qt5SerialPortEik.dll	cpe:2.3:a:qt:qt:5:::::::*	CRITICAL	21	High	4
easyctep.dll			0		2
jeasyctep.dll			0		2

File Path: /home/huehner/ob/git/repo-clones/openbravo/product/pmods/hwmanager-atosworldline/lib/JEasyCTEP-3.2.0.jar
MD5: 562ff485d8ba08411d724768d1131a53
SHA1: e6fc1cd820add3ef1237b6238840c46e6cce3635
SHA256:0ab995f8c13f99c77bc13844f2788f2f61c380991214788a55db25fcbbc49799

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	JEasyCTEP	High
Vendor	jar	package name	jctep	Low
Vendor	jar	package name	pegusapps	Low
Vendor	jar	package name	transaction	Low
Vendor	Manifest	build-jdk-spec	11	Low
Product	file	name	JEasyCTEP	High
Product	jar	package name	jctep	Low
Product	jar	package name	transaction	Low
Product	Manifest	build-jdk-spec	11	Low
Version	file	name	JEasyCTEP	Medium
Version	file	version	3.2.0	High
Version	Manifest	build-jdk-spec	11	Low
Version	Manifest	version	3.2.0	Medium

Identifiers

None

File Path: /home/huehner/ob/git/repo-clones/openbravo/product/pmods/hwmanager-atosworldline/lib/win64/Qt5CoreEik.dll
MD5: 62c9e32996008e87a91469b6a867fd1a
SHA1: 4941313105c075ff813b6406ce3d915dc083ea81
SHA256:b0d512fa545801141db3f6a126572b13136d5ea02b88770def79072a5e00f8ef

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	Qt5CoreEik	High
Product	file	name	Qt5CoreEik	High
Version	file	name	Qt5CoreEik	Medium
Version	file	version	5	Medium

Identifiers

cpe:2.3:a:qt:qt:5:*:*:*:*:*:*:* (Confidence:High)

Published Vulnerabilities

CVE-2017-10904

Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

vultures@jpcert.or.jp - ISSUE_TRACKING,THIRD_PARTY_ADVISORY,VDB_ENTRY
vultures@jpcert.or.jp - ISSUE_TRACKING,VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:android:*:* versions up to (excluding) 5.9.0

CVE-2018-19873

An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2023-51714

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.

CWE-190 Integer Overflow or Wraparound

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH,PRODUCT
cve@mitre.org - PATCH,PRODUCT

Vulnerable Software & Versions: (show all)

CVE-2015-1290

The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: HIGH (9.3)
Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSSv3:

Base Score: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-19870

An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.

CWE-476 NULL Pointer Dereference

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2018-21035

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (including) 5.14.1

CVE-2022-25634

Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - BROKEN_LINK
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-32763

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-37369

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.

NVD-CWE-noinfo

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - EXPLOIT
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-38197

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2020-0570

Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.

CWE-426 Untrusted Search Path

CVSSv2:

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (7.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:1.3/RC:R/MAV:A

References:

secure@intel.com - EXPLOIT,PATCH,VENDOR_ADVISORY
secure@intel.com - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
secure@intel.com - MAILING_LIST,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2018-19869

An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2018-19871

An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.

CWE-400 Uncontrolled Resource Consumption

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2023-32573

In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.

CWE-369 Divide By Zero

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2024-39936

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

cve@mitre.org - VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-43114

An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

References:

cve@mitre.org - PATCH,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2017-10905

A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:1.8/RC:R/MAV:A

References:

vultures@jpcert.or.jp - ISSUE_TRACKING,THIRD_PARTY_ADVISORY,VDB_ENTRY
vultures@jpcert.or.jp - ISSUE_TRACKING,VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:android:*:* versions up to (excluding) 5.9.3

CVE-2020-17507

An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.

CWE-125 Out-of-bounds Read

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-32762

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,PATCH
cve@mitre.org - PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-34410

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.

CWE-295 Improper Certificate Validation

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2014-0190

The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.

CWE-476 NULL Pointer Dereference

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY
secalert@redhat.com - VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.3.0

File Path: /home/huehner/ob/git/repo-clones/openbravo/product/pmods/hwmanager-atosworldline/lib/win64/Qt5NetworkEik.dll
MD5: fd612d9d23e1094f5ad7b57deaf6fc27
SHA1: 2273c8f789d733fefb44d70a094fc867f40fa7d6
SHA256:b7f0557fc6858acb26cad81f6932f53ab2da82664ebd87d92b892271fc5706e7

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	Qt5NetworkEik	High
Product	file	name	Qt5NetworkEik	High
Version	file	name	Qt5NetworkEik	Medium
Version	file	version	5	Medium

Identifiers

cpe:2.3:a:qt:qt:5:*:*:*:*:*:*:* (Confidence:High)

Published Vulnerabilities

CVE-2017-10904

Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

vultures@jpcert.or.jp - ISSUE_TRACKING,THIRD_PARTY_ADVISORY,VDB_ENTRY
vultures@jpcert.or.jp - ISSUE_TRACKING,VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:android:*:* versions up to (excluding) 5.9.0

CVE-2018-19873

An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2023-51714

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.

CWE-190 Integer Overflow or Wraparound

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH,PRODUCT
cve@mitre.org - PATCH,PRODUCT

Vulnerable Software & Versions: (show all)

CVE-2015-1290

The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: HIGH (9.3)
Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSSv3:

Base Score: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-19870

An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.

CWE-476 NULL Pointer Dereference

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2018-21035

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (including) 5.14.1

CVE-2022-25634

Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - BROKEN_LINK
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-32763

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-37369

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.

NVD-CWE-noinfo

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - EXPLOIT
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-38197

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2020-0570

Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.

CWE-426 Untrusted Search Path

CVSSv2:

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (7.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:1.3/RC:R/MAV:A

References:

secure@intel.com - EXPLOIT,PATCH,VENDOR_ADVISORY
secure@intel.com - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
secure@intel.com - MAILING_LIST,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2018-19869

An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2018-19871

An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.

CWE-400 Uncontrolled Resource Consumption

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2023-32573

In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.

CWE-369 Divide By Zero

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2024-39936

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

cve@mitre.org - VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-43114

An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

References:

cve@mitre.org - PATCH,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2017-10905

A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:1.8/RC:R/MAV:A

References:

vultures@jpcert.or.jp - ISSUE_TRACKING,THIRD_PARTY_ADVISORY,VDB_ENTRY
vultures@jpcert.or.jp - ISSUE_TRACKING,VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:android:*:* versions up to (excluding) 5.9.3

CVE-2020-17507

An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.

CWE-125 Out-of-bounds Read

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-32762

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,PATCH
cve@mitre.org - PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-34410

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.

CWE-295 Improper Certificate Validation

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2014-0190

The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.

CWE-476 NULL Pointer Dereference

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY
secalert@redhat.com - VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.3.0

File Path: /home/huehner/ob/git/repo-clones/openbravo/product/pmods/hwmanager-atosworldline/lib/win64/Qt5SerialPortEik.dll
MD5: a3f702148a6335f7c07ca9f40d4baa2c
SHA1: 0302258289c75bd9669f906e186a94fecf7f9a61
SHA256:92063fc6d243df2029212c13c4c24d87b0e8f10a696e0e7bdca175b33a0afb8f

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	Qt5SerialPortEik	High
Product	file	name	Qt5SerialPortEik	High
Version	file	name	Qt5SerialPortEik	Medium
Version	file	version	5	Medium

Identifiers

cpe:2.3:a:qt:qt:5:*:*:*:*:*:*:* (Confidence:High)

Published Vulnerabilities

CVE-2017-10904

Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

vultures@jpcert.or.jp - ISSUE_TRACKING,THIRD_PARTY_ADVISORY,VDB_ENTRY
vultures@jpcert.or.jp - ISSUE_TRACKING,VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:android:*:* versions up to (excluding) 5.9.0

CVE-2018-19873

An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2023-51714

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.

CWE-190 Integer Overflow or Wraparound

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH,PRODUCT
cve@mitre.org - PATCH,PRODUCT

Vulnerable Software & Versions: (show all)

CVE-2015-1290

The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: HIGH (9.3)
Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSSv3:

Base Score: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-19870

An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.

CWE-476 NULL Pointer Dereference

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2018-21035

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (including) 5.14.1

CVE-2022-25634

Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - BROKEN_LINK
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY
cve@mitre.org - PATCH,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-32763

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-37369

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.

NVD-CWE-noinfo

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - EXPLOIT
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-38197

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2020-0570

Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.

CWE-426 Untrusted Search Path

CVSSv2:

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (7.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:1.3/RC:R/MAV:A

References:

secure@intel.com - EXPLOIT,PATCH,VENDOR_ADVISORY
secure@intel.com - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
secure@intel.com - MAILING_LIST,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2018-19869

An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2018-19871

An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.

CWE-400 Uncontrolled Resource Consumption

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - ISSUE_TRACKING,PATCH,VENDOR_ADVISORY
cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.11.3

CVE-2023-32573

In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.

CWE-369 Divide By Zero

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2024-39936

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

cve@mitre.org - VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-43114

An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

References:

cve@mitre.org - PATCH,VENDOR_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2017-10905

A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:1.8/RC:R/MAV:A

References:

vultures@jpcert.or.jp - ISSUE_TRACKING,THIRD_PARTY_ADVISORY,VDB_ENTRY
vultures@jpcert.or.jp - ISSUE_TRACKING,VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:android:*:* versions up to (excluding) 5.9.3

CVE-2020-17507

An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.

CWE-125 Out-of-bounds Read

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - BROKEN_LINK
cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY
cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY
cve@mitre.org - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions: (show all)

CVE-2023-32762

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - MAILING_LIST,PATCH
cve@mitre.org - PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2023-34410

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.

CWE-295 Improper Certificate Validation

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

cve@mitre.org - PATCH
cve@mitre.org - PATCH

Vulnerable Software & Versions: (show all)

CVE-2014-0190

The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.

CWE-476 NULL Pointer Dereference

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY
secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY
secalert@redhat.com - VENDOR_ADVISORY

Vulnerable Software & Versions:

cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* versions up to (excluding) 5.3.0

File Path: /home/huehner/ob/git/repo-clones/openbravo/product/pmods/hwmanager-atosworldline/lib/win64/easyctep.dll
MD5: 99461b319a324a8f7d08a1f9055cba28
SHA1: 559fe5f2853e20a96c761d70951250e95ff444bd
SHA256:bee41de5829e1f37a35a549fdcb015182897d86525e647129f643a2bb6e2c6be

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	easyctep	High
Product	file	name	easyctep	High

Identifiers

None

File Path: /home/huehner/ob/git/repo-clones/openbravo/product/pmods/hwmanager-atosworldline/lib/win64/jeasyctep.dll
MD5: 96dc4895c99466bb41939a328fdbb23c
SHA1: e88c1a01fb2b932afe889315ab8a24d7f7e381fe
SHA256:ba7bb8d3647c8601c03fb9c812f482972562fa1ec75496ba4daf7cd6498639de

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jeasyctep	High
Product	file	name	jeasyctep	High

Identifiers

None

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor

Project:

Summary

Dependencies (vulnerable)

JEasyCTEP-3.2.0.jar

Evidence

Identifiers

Qt5CoreEik.dll

Evidence

Identifiers

Published Vulnerabilities

Qt5NetworkEik.dll

Evidence

Identifiers

Published Vulnerabilities

Qt5SerialPortEik.dll

Evidence

Identifiers

Published Vulnerabilities

easyctep.dll

Evidence

Identifiers

jeasyctep.dll

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project:

Summary

Dependencies (vulnerable)

JEasyCTEP-3.2.0.jar

Evidence

Identifiers

Qt5CoreEik.dll

Evidence

Identifiers

Published Vulnerabilities

Qt5NetworkEik.dll

Evidence

Identifiers

Published Vulnerabilities

Qt5SerialPortEik.dll

Evidence

Identifiers

Published Vulnerabilities

easyctep.dll

Evidence

Identifiers

jeasyctep.dll

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor