CVE-2018-21035

Published: 28 February 2020

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
qtwebsockets-opensource-src
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(5.15.1-2)
Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/qt/qtwebsockets/commit/ed93680f34e92ad0383aa4e610bb65689118ca93

Notes

AuthorNote
mdeslaur
upstream commit just adds new settings allowing users to lower
allowed frame/message size, it doesn't change the default
behaviour

References

Bugs