5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.013 Low
EPSS
Percentile
85.7%
Richard J. Moore reports:
QXmlSimpleReader in Qt versions prior to 5.2 supports
expansion of internal entities in XML documents without
placing restrictions to ensure the document does not cause
excessive memory usage. If an application using this API
processes untrusted data then the application may use
unexpected amounts of memory if a malicious document is
processed.
It is possible to construct XML documents using internal
entities that consume large amounts of memory and other
resources to process, this is known as the ‘Billion Laughs’
attack. Qt versions prior to 5.2 did not offer protection
against this issue.