CVE-2020-24742
Published: 9 August 2021
An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
Notes
| Author | Note |
|---|---|
| mdeslaur | This was fixed in USN-4275-1 as CVE-2020-0569, but that CVE now has an unrelated description. In any case, this issue is fixed. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
qtbase-opensource-src Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.9.5+dfsg-0ubuntu2.5)
|
| focal |
Not vulnerable
(5.12.8+dfsg-0ubuntu1)
|
|
| hirsute |
Not vulnerable
(5.15.2+dfsg-5ubuntu1)
|
|
| impish |
Not vulnerable
(5.15.2+dfsg-9)
|
|
| jammy |
Not vulnerable
(5.15.2+dfsg-9)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
|
|
qtbase-opensource-src-gles Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Not vulnerable
(5.12.8+dfsg-0ubuntu1)
|
|
| hirsute |
Not vulnerable
(5.15.2+dfsg-3ubuntu1)
|
|
| impish |
Not vulnerable
(5.15.2+dfsg-4)
|
|
| jammy |
Not vulnerable
(5.15.2+dfsg-4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |