CVE-2023-38197 — Infinite Loop in QT

CWE-835 — Infinite Loop6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 85.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QT Debian Qt6-base Debian Qtbase-opensource-src +2 more

Timeline

PublishedJul 13

Description

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDqt/qt6.0.0 — 6.2.10+2

▶debiandebian/qt6-base< qt6-base 6.6.2+dfsg-8 (forky)

▶debiandebian/qtbase-opensource-src< qt6-base 6.6.2+dfsg-8 (forky)

▶debiandebian/qtbase-opensource-src-gles< qt6-base 6.6.2+dfsg-8 (forky)

▶msrcmsrc/cbl2_qt5-qtbase_5.12.11-9_on_cbl_mariner_2.0

Patches

Patch: codereview.qt-project.org ↗Patch: codereview.qt-project.org ↗

🔴Vulnerability Details

OSV

CVE-2023-38197: An issue was discovered in Qt before 5↗2023-07-13

▶

GHSA

GHSA-98w5-63h7-29q8: An issue was discovered in Qt before 5↗2023-07-13

▶

📋Vendor Advisories

Red Hat

qtbase: infinite loops in QXmlStreamReader↗2023-07-12

▶

Microsoft

An issue was discovered in Qt before 5.15.15 6.x before 6.2.10 and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.↗2023-07-11

▶

Debian

CVE-2023-38197: qt6-base - An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x throu...↗2023

▶