#VU46199 Out-of-bounds read in qt5-qtbase - CVE-2020-17507


| Updated: 2020-09-01

Vulnerability identifier: #VU46199

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-17507

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
qt5-qtbase
Other software / Other software solutions

Vendor: Qt Group

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to buffer over-read. A remote attacker can perform a denial of service attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

qt5-qtbase: 5.15.0

External links
https://codereview.qt-project.org/c/qt/qtbase/+/308436
https://codereview.qt-project.org/c/qt/qtbase/+/308495
https://codereview.qt-project.org/c/qt/qtbase/+/308496
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/426FCC6JNK4JUEX5QHJQDYQ6MUVQ3E6P/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBPZVZNEYXGATTXM4WOE7OQ55VAKPVD6/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for libqt4
Ubuntu update for qtbase-opensource-src
Red Hat Enterprise Linux 8 update for qt5-qtbase
Denial of service in iApps component in F5 BIG-IP products
CentOS 7 update for qt5-qtbase
CentOS 7 update for qt
Red Hat Enterprise Linux 7 update for qt and qt5-qtbase
Red Hat Enterprise Linux 7 update for qt and qt5-qtbase
OpenSUSE Linux update for libqt5-qtbase
OpenSUSE Linux update for libqt5-qtbase