CVE-2018-21035 — Allocation of Resources Without Limits or Throttling in Qtwebsockets-opensource-src
Severity
7.5HIGHNVD
EPSS
0.5%
top 35.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 28
Latest updateMay 24
Description
In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
Patches
🔴Vulnerability Details
2📋Vendor Advisories
3Microsoft▶
In Qt through 5.14.1 the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of servic↗2020-02-11
Red Hat▶
qt5-qtwebsockets: websocket implementation allows only limited size for frames and messages therefore attacker can cause DOS↗2018-09-23
Debian▶
CVE-2018-21035: qtwebsockets-opensource-src - In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames ...↗2018
💬Community
3Bugzilla▶
CVE-2018-21035 qt5-qtwebsockets: websocket implementation allows only limited size for frames and messages therefore attacker can cause DOS↗2020-03-06
Bugzilla▶
CVE-2018-21035 qt5-qtwebsockets: websocket implementation allows only limited size for frames and messages therefore attacker can cause DOS [epel-6]↗2020-03-06
Bugzilla▶
CVE-2018-21035 qt5-qtwebsockets: websocket implementation allows only limited size for frames and messages therefore attacker can cause DOS [fedora-all]↗2020-03-06